[wp-trac] [WordPress Trac] #14556: get_pagenum_link() vulnerable to XSS attacks

WordPress Trac wp-trac at lists.automattic.com
Fri Aug 6 22:09:50 UTC 2010


#14556: get_pagenum_link() vulnerable to XSS attacks
--------------------------+-------------------------------------------------
 Reporter:  guigouz       |       Owner:                   
     Type:  defect (bug)  |      Status:  new              
 Priority:  normal        |   Milestone:  Awaiting Review  
Component:  Security      |     Version:  3.0.1            
 Severity:  normal        |    Keywords:  reporter-feedback
--------------------------+-------------------------------------------------
Changes (by scribu):

  * severity:  critical => normal


Comment:

 You need to use esc_url() before outputing what get_pagenum_link()
 returns.

 Decreasing severity because it's used properly everywhere in core.

 Should probably add a warning somewhere in the function's doc.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14556#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list