[wp-trac] [WordPress Trac] #3937: All browser-bound outputs of
add_query_arg() or remove_query_arg() must be sanitized with
attribute_escape()
WordPress Trac
wp-trac at lists.automattic.com
Fri Mar 9 04:33:34 GMT 2007
#3937: All browser-bound outputs of add_query_arg() or remove_query_arg() must be
sanitized with attribute_escape()
-----------------------------+----------------------------------------------
Reporter: markjaquith | Owner: anonymous
Type: defect | Status: new
Priority: highest omg bbq | Milestone: 2.0.10
Component: Security | Version: 2.2
Severity: critical | Keywords: security
-----------------------------+----------------------------------------------
The {{{add_query_arg()}}} and {{{remove_query_arg()}}} functions do not
generate XSS-proof URLs by default (because their output can also be used
to redirect to the resultant URL). But all browser-bound outputs of these
functions must be sanitized before being echoed. {{{attribute_escape()}}}
is the function that escapes content used in attributes (and URLs are
almost always used in attributes, like {{{<a href="<?php echo
attribute_escape(add_query_arg('foo', 'value', $initial_url));
?>">link</a>}}} )
XSS exploits have been tied to this vulnerability:
* http://secunia.com/advisories/24430/
Triple milestone here:
* trunk
* 2.0.x
* 2.1.x
--
Ticket URL: <http://trac.wordpress.org/ticket/3937>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list