[wp-trac] [WordPress Trac] #20476: Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent potential xss and potential broken code.
WordPress Trac
wp-trac at lists.automattic.com
Wed Apr 18 07:22:26 UTC 2012
#20476: Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent
potential xss and potential broken code.
---------------------------+-----------------------------
Reporter: chellycat | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Bundled Theme | Version: 3.3
Severity: normal | Keywords:
---------------------------+-----------------------------
The following code is problematic and may lead to xss as well as broken
code depending on when/how it is used:
{{{esc_attr( printf() )}}}
Take for example the following test:
{{{
function mfields_printf_test() {
$test = '<h1 style="font-size: 50px; font-weight: bold; color:
red;">TACO!</h1>';
$good = esc_attr( sprintf( $test ) );
var_dump( $good );
$bad = esc_attr( printf( $test ) );
var_dump( $bad );
}
add_action( 'get_header', 'mfields_printf_test' );
}}}
This will produce the following output:
https://img.skitch.com/20120310-cjfm9aiqmym87f5we647k9equh.png
Notice how the string in {{{$good}}} is correctly escaped while the string
in {{{$bad}}} has been "converted" to a numeric string with the value of
"70". This is because {{{printf()}}} is intended to echo a value to the
screen. It does have a return a value which represents the length of the
outputted string. Since test is 70 chars long, this value is 70.
Also notice how the string "TACO!" is echoed to the screen in large, red
text. This proves that {{{esc_attr()}}} is bypassed by {{{printf()}}}
allowing unescaped data to be echoed to the screen.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20476>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list