Ticket #3937 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

All browser-bound outputs of add_query_arg() or remove_query_arg() must be sanitized with attribute_escape()

Reported by: markjaquith Assigned to: anonymous
Priority: highest omg bbq Milestone: 2.0.10
Component: Security Version: 2.2
Severity: critical Keywords: security
Cc:

Description

The add_query_arg() and remove_query_arg() functions do not generate XSS-proof URLs by default (because their output can also be used to redirect to the resultant URL). But all browser-bound outputs of these functions must be sanitized before being echoed. attribute_escape() is the function that escapes content used in attributes (and URLs are almost always used in attributes, like <a href="<?php echo attribute_escape(add_query_arg('foo', 'value', $initial_url)); ?>">link</a> )

XSS exploits have been tied to this vulnerability:

Triple milestone here:

  • trunk
  • 2.0.x
  • 2.1.x

Attachments

add_query_arg_output_sanitization.001.diff (13.6 kB) - added by markjaquith on 03/09/07 04:33:52.
Patch for entire /wordpress/ family

Change History

03/09/07 04:33:52 changed by markjaquith

  • attachment add_query_arg_output_sanitization.001.diff added.

Patch for entire /wordpress/ family

03/09/07 04:36:32 changed by markjaquith

  • status changed from new to closed.
  • resolution set to fixed.

(In [5007]) Sanitize browser-bound add_query_arg() outputs. fixes #3937