[wp-trac] [WordPress Trac] #3937: All browser-bound outputs of add_query_arg() or remove_query_arg() must be sanitized with attribute_escape()

WordPress Trac wp-trac at lists.automattic.com
Fri Mar 9 04:33:34 GMT 2007


#3937: All browser-bound outputs of add_query_arg() or remove_query_arg() must be
sanitized with attribute_escape()
-----------------------------+----------------------------------------------
 Reporter:  markjaquith      |       Owner:  anonymous
     Type:  defect           |      Status:  new      
 Priority:  highest omg bbq  |   Milestone:  2.0.10   
Component:  Security         |     Version:  2.2      
 Severity:  critical         |    Keywords:  security 
-----------------------------+----------------------------------------------
 The {{{add_query_arg()}}} and {{{remove_query_arg()}}} functions do not
 generate XSS-proof URLs by default (because their output can also be used
 to redirect to the resultant URL).  But all browser-bound outputs of these
 functions must be sanitized before being echoed.  {{{attribute_escape()}}}
 is the function that escapes content used in attributes (and URLs are
 almost always used in attributes, like {{{<a href="<?php echo
 attribute_escape(add_query_arg('foo', 'value', $initial_url));
 ?>">link</a>}}} )

 XSS exploits have been tied to this vulnerability:

  * http://secunia.com/advisories/24430/

 Triple milestone here:

  * trunk
  * 2.0.x
  * 2.1.x

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3937>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list