[wp-trac] [WordPress Trac] #48117: onclick attribute is not properly escaped in the _render_item method of WP_Admin_Bar class.
WordPress Trac
noreply at wordpress.org
Tue Sep 24 04:52:49 UTC 2019
#48117: onclick attribute is not properly escaped in the _render_item method of
WP_Admin_Bar class.
--------------------------+-----------------------------
Reporter: tmatsuur | Owner: whyisjake
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.2.3
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
I noticed that when the onclick attribute value is specified with the
'meta' key of the add_menu method of $wp_admin_bar, the onclick attribute
is output twice.
{{{
$wp_admin_bar->add_menu( array(
'id' => 'mylink',
'title' => 'mylink',
'href' => 'https://wordpress.org/',
'meta' => array(
'onclick' => 'alert( "wp" )',
),
) );
}}}
The rendered HTML source looks like this:
{{{
<li id='wp-admin-bar-mylink'><a class='ab-item'
href='https://wordpress.org/' onclick="alert( "wp" )"
onclick='alert( "wp" )'>mylink</a></li>
}}}
As a result of investigating this cause, if the href attribute was set in
the _render_item method, the onclick attribute was output after being
escaped with the esc_js function, and then was output after being escaped
with another esc_attr function.
If the href attribute is not set, the onclick attribute is output after
being escaped by the esc_attr function.
The vulnerable source code is as follows: class-wp-admin-bar.php: 536-551
{{{
if ( $has_link ) {
$attributes = array( 'onclick', 'target', 'title', 'rel', 'lang',
'dir' );
echo "<a class='ab-item'$aria_attributes href='" . esc_url(
$node->href ) . "'";
if ( ! empty( $node->meta['onclick'] ) ) {
echo ' onclick="' . esc_js( $node->meta['onclick'] ) . '"';
}
} else {
$attributes = array( 'onclick', 'target', 'title', 'rel', 'lang',
'dir' );
echo '<div class="ab-item ab-empty-item"' . $aria_attributes;
}
foreach ( $attributes as $attribute ) {
if ( ! empty( $node->meta[ $attribute ] ) ) {
echo " $attribute='" . esc_attr( $node->meta[ $attribute ] ) .
"'";
}
}
}}}
The variable $attributes always contains 'onclick', so it escapes with the
esc_attr function and outputs the attribute value.
I hope that the onclick attribute will be output properly.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48117>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list