[wp-trac] [WordPress Trac] #29259: post_class filter can introduce non-escaped output
WordPress Trac
noreply at wordpress.org
Tue Aug 19 06:14:31 UTC 2014
#29259: post_class filter can introduce non-escaped output
-------------------------------+-----------------------------
Reporter: shadyvb | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: trunk
Severity: normal | Keywords:
Focuses: template |
-------------------------------+-----------------------------
Currently `post_class` filter is executed after using `esc_attr` to escape
existing classes, and thus newly added classes are not escaped properly.
Excerpt from `get_post_class`
{{{
$classes = array_map('esc_attr', $classes);
/**
* Filter the list of CSS classes for the current post.
*
* @since 2.7.0
*
* @param array $classes An array of post classes.
* @param string $class A comma-separated list of additional classes
added to the post.
* @param int $post_id The post ID.
*/
$classes = apply_filters( 'post_class', $classes, $class, $post->ID );
return array_unique( $classes );
}}}
I think we should escape after applying the filter, not before, since a
snippet like the following can exploit the code and break output:
{{{
add_filter( 'post_class', function( $classes ){
$classes[] = '" data-foo="bar'; // sneaking in some data attributes
// OR
$classes[] = '">some evil stuff here'; // nasty!
return $classes;
} );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29259>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list