[wp-hackers] Plugin version number from WP.org sanitized?
Viper007Bond
viper at viper007bond.com
Mon Dec 3 10:11:06 GMT 2007
I've been playing around with the plugin update checker (writing a new
plugin that uses the data) and noticed that the data retrieved from
WP.orgis displayed raw:
printf( __('There is a new version of %s available. <a href="%s">Download
version %s here</a>.'), $plugin_data['Name'], $r->url, $r->new_version );
Does this mean WP.org automatically htmlspecialchars() the version number
and such or was this overlooked?
What if I commit a new version of my plugin and put this as the version
number: 1.2.3<script>alert('omfghax');</script>
The same goes for plugin titles.
Wondering both for my plugin's sake and for security's sake.
--
Viper007Bond | http://www.viper007bond.com/
More information about the wp-hackers
mailing list