WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#9656 closed defect (bug) (worksforme)

Add missing filters for values in edit-link-category-form.php

Reported by: Simek Owned by: ryan
Milestone: Priority: normal
Severity: major Version: 2.8
Component: Security Keywords: has-patch tested commit
Focuses: Cc:

Description

Add missing filters ("attribute_escape" and "wp_specialchars") for values in edit-link-category-form.php

Attachments (3)

missing.filters.for.values.in.edit-link-category-form.php.patch (2.0 KB) - added by Simek 5 years ago.
9656.patch (849 bytes) - added by hakre 5 years ago.
format_to_edit vs. wp_specialchars.
9656.diff (2.4 KB) - added by Denis-de-Bernardy 5 years ago.
format_to_edit for category, tag, and user description

Download all attachments as: .zip

Change History (18)

comment:1 hakre5 years ago

  • Keywords security added

is wp_specialchars() suitable within a textarea? (guess yes but I do not properly know).

is the 'editable_slug' filter applicable to be used for category slugs?

if both questions can be answered with yes I think this patch looks good. especially the attribute_escape call is important to prevent injection issues.

comment:2 hakre5 years ago

  • Type changed from enhancement to defect (bug)

unsufficent attribute value escapes are a defect, not an enhancement.

comment:3 Denis-de-Bernardy5 years ago

  • Component changed from General to Security
  • Owner changed from anonymous to ryan

comment:4 hakre5 years ago

attribute_escape() should become attr() (as in [11109])

comment:6 Denis-de-Bernardy5 years ago

  • Keywords needs-patch added; has-patch removed

broken patch

comment:7 hakre5 years ago

Repaired the patch. Partially this was already fixed in head because of the attr() run by ryan. looks like textareas are missing, I've chosen simeks variant using wp_specialchars() for textarea content.

comment:8 hakre5 years ago

  • Keywords has-patch added; needs-patch removed

comment:9 Denis-de-Bernardy5 years ago

for textareas, wp has the format_to_edit() sanitizer.

hakre5 years ago

format_to_edit vs. wp_specialchars.

comment:10 Denis-de-Bernardy5 years ago

  • Keywords tested commit added; security removed
  • Severity changed from normal to major

this one is major

Denis-de-Bernardy5 years ago

format_to_edit for category, tag, and user description

comment:11 Denis-de-Bernardy5 years ago

updated patch does the same for tag description and user description.

comment:12 ryan5 years ago

get_term_to_edit() should take care of the tag description.

comment:13 ryan5 years ago

get_user_to_edit() could stand to call format_to_edit() instead of wp_specialchars().

comment:14 ryan5 years ago

Some of the attribute escapes that got added are unnecessary since the *_to_edit() functions should take care of that.

comment:15 Denis-de-Bernardy5 years ago

  • Milestone 2.8 deleted
  • Resolution set to worksforme
  • Status changed from new to closed

oh right. after double checking, all three cases are processed already. sorry about that.

Note: See TracTickets for help on using tickets.