[wp-trac] [WordPress Trac] #56655: add_menu_page - escaping $page_title, $menu_title
WordPress Trac
noreply at wordpress.org
Mon Sep 26 10:46:39 UTC 2022
#56655: add_menu_page - escaping $page_title, $menu_title
-----------------------------------------+------------------------------
Reporter: soupia18 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Menus | Version: trunk
Severity: critical | Resolution:
Keywords: needs-patch has-screenshots | Focuses: administration
-----------------------------------------+------------------------------
Changes (by martin.krcho):
* keywords: => needs-patch has-screenshots
* focuses: => administration
* type: enhancement => defect (bug)
* version: => trunk
Comment:
Hey @soupia18, thank you very much for creating this ticket. Also,
congratulations on creating your first ticket in WordPress Trac.
I can confirm that this is an issue in the latest version of WordPress
(trunk). I was able to replicate the issue using the following mu-plugin.
{{{#!php
<?php
add_action( 'admin_init', function () {
add_menu_page(
__( '<script>alert("hi1")</script>Page Title', 'text-
domain' ),
__( '<script>alert("hi2")</script>Menu Title', 'text-
domain' ),
'manage_options',
'menu-slug',
function () {
echo 'testing XSS issue';
},
'dashicons-images-alt2'
);
} );
}}}
I can see a JS alert saying "hi2" when loading the WP Admin - see the
screenshot above.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56655#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list