[wp-trac] [WordPress Trac] #14556: get_pagenum_link() needs esc_url()
WordPress Trac
wp-trac at lists.automattic.com
Wed Nov 24 15:00:33 UTC 2010
#14556: get_pagenum_link() needs esc_url()
--------------------------+-------------------------------------------------
Reporter: guigouz | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 3.0.1
Severity: normal | Resolution: wontfix
Keywords: |
--------------------------+-------------------------------------------------
Comment(by emartin24):
I ran into this same issue with my pagination plugin, WP-Paginate.
It doesn't seem to be an issue with get_comments_pagenum_link(), but
unless I wrap get_pagenum_link() with esc_url(), I am able to create an
XSS vulnerability.
I can see how it might be a complicated issue, but I would expect
WordPress to sanitize values returned from it's functions, or at the very
least provide a huge warning to theme/plugin developers of potential
issues with certain functions.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14556#comment:10>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list