[wp-trac] [WordPress Trac] #34831: WP oEmbed: Validate the "Secret" When Used in `document.querySelectorAll()`

WordPress Trac noreply at wordpress.org
Thu Dec 3 03:28:12 UTC 2015

#34831: WP oEmbed: Validate the "Secret" When Used in `document.querySelectorAll()`
 Reporter:  mdawaffe      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  4.4
Component:  Embeds        |    Version:  trunk
 Severity:  normal        |   Keywords:  has-patch
  Focuses:  javascript    |
 In the data sent to us from the embedded iframe by `postMessage()`, the
 `secret` value is being used directly in a `document.querySelectorAll()`
 call without first being validated or escaped.

 In theory, this could lead to some broken embeds.

 Suggested hardening patch attached: There's no reason to try and escape
 this data correctly.  Let's just reject if the secret does not conform to
 the format we expect.

Ticket URL: <https://core.trac.wordpress.org/ticket/34831>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list