Opened 3 days ago
Last modified 15 hours ago
#65047 new defect (bug)
Missing escaping for XML error message
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 7.1 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Pings/Trackbacks | Keywords: | has-patch |
| Focuses: | Cc: |
Description (last modified by )
- File: src/wp-trackback.php
- Line: 37
- Problem:
$error_messageoutput in XML without escaping
Current Code:
if ( $error ) {
echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
echo "<response>\n";
echo "<error>1</error>\n";
echo "<message>$error_message</message>\n";
echo '</response>';
}
Fix:
if ( $error ) {
echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
echo "<response>\n";
echo "<error>1</error>\n";
echo "<message>" . esc_html ( $error_message ) . "</message>\n";
echo '</response>';
}
Why It Matters:
- XML special characters (
&,<,>) can break XML parsing - Error messages come from user actions or system states
Change History (4)
This ticket was mentioned in PR #11527 on WordPress/wordpress-develop by maheshpatel27.
3 days ago
#1
- Keywords has-patch added
#2
@
3 days ago
This issue has been resolved and generated PR
PR - https://github.com/WordPress/wordpress-develop/pull/11527
#3
@
3 days ago
- Description modified (diff)
- Version trunk deleted
The trackback_response() function has been available since changeset 8, and the escaping functions were added later.
Would esc_xml() be a better choice?
Note: See
TracTickets for help on using
tickets.
Add escaping [src/wp-trackback.php#L37 src/wp-trackback.php]
if ( $error ) {
echo '<?xml version="1.0" encoding="utf-8"?' . ">\n";
echo "<response>\n";
echo "<error>1</error>\n";
echo "<message>" . esc_html ( $error_message ) . "</message>\n";
echo '</response>';
}