WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 5 years ago

#9656 closed defect (bug) (worksforme)

Add missing filters for values in edit-link-category-form.php

Reported by: Simek Owned by: ryan
Milestone: Priority: normal
Severity: major Version: 2.8
Component: Security Keywords: has-patch tested commit
Focuses: Cc:

Description

Add missing filters ("attribute_escape" and "wp_specialchars") for values in edit-link-category-form.php

Attachments (3)

missing.filters.for.values.in.edit-link-category-form.php.patch (2.0 KB) - added by Simek 12 years ago.
9656.patch (849 bytes) - added by hakre 12 years ago.
format_to_edit vs. wp_specialchars.
9656.diff (2.4 KB) - added by Denis-de-Bernardy 12 years ago.
format_to_edit for category, tag, and user description

Download all attachments as: .zip

Change History (19)

#1 @hakre
12 years ago

  • Keywords security added

is wp_specialchars() suitable within a textarea? (guess yes but I do not properly know).

is the 'editable_slug' filter applicable to be used for category slugs?

if both questions can be answered with yes I think this patch looks good. especially the attribute_escape call is important to prevent injection issues.

#2 @hakre
12 years ago

  • Type changed from enhancement to defect (bug)

unsufficent attribute value escapes are a defect, not an enhancement.

#3 @Denis-de-Bernardy
12 years ago

  • Component changed from General to Security
  • Owner changed from anonymous to ryan

#4 @hakre
12 years ago

attribute_escape() should become attr() (as in [11109])

#6 @Denis-de-Bernardy
12 years ago

  • Keywords needs-patch added; has-patch removed

broken patch

#7 @hakre
12 years ago

Repaired the patch. Partially this was already fixed in head because of the attr() run by ryan. looks like textareas are missing, I've chosen simeks variant using wp_specialchars() for textarea content.

#8 @hakre
12 years ago

  • Keywords has-patch added; needs-patch removed

#9 @Denis-de-Bernardy
12 years ago

for textareas, wp has the format_to_edit() sanitizer.

@hakre
12 years ago

format_to_edit vs. wp_specialchars.

#10 @Denis-de-Bernardy
12 years ago

  • Keywords tested commit added; security removed
  • Severity changed from normal to major

this one is major

@Denis-de-Bernardy
12 years ago

format_to_edit for category, tag, and user description

#11 @Denis-de-Bernardy
12 years ago

updated patch does the same for tag description and user description.

#12 @ryan
12 years ago

get_term_to_edit() should take care of the tag description.

#13 @ryan
12 years ago

get_user_to_edit() could stand to call format_to_edit() instead of wp_specialchars().

#14 @ryan
12 years ago

Some of the attribute escapes that got added are unnecessary since the *_to_edit() functions should take care of that.

#15 @Denis-de-Bernardy
12 years ago

  • Milestone 2.8 deleted
  • Resolution set to worksforme
  • Status changed from new to closed

oh right. after double checking, all three cases are processed already. sorry about that.

This ticket was mentioned in Slack in #core-i18n by ocean90. View the logs.


5 years ago

Note: See TracTickets for help on using tickets.