[wp-trac] [WordPress Trac] #20476: Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent potential xss and potential broken code.

WordPress Trac wp-trac at lists.automattic.com
Wed Apr 18 07:22:26 UTC 2012


#20476: Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent
potential xss and potential broken code.
---------------------------+-----------------------------
 Reporter:  chellycat      |      Owner:
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Bundled Theme  |    Version:  3.3
 Severity:  normal         |   Keywords:
---------------------------+-----------------------------
 The following code is problematic and may lead to xss as well as broken
 code depending on when/how it is used:

 {{{esc_attr( printf() )}}}

 Take for example the following test:

 {{{
 function mfields_printf_test() {
         $test = '<h1 style="font-size: 50px; font-weight: bold; color:
 red;">TACO!</h1>';

         $good = esc_attr( sprintf( $test ) );
         var_dump( $good );

         $bad = esc_attr( printf( $test ) );
         var_dump( $bad );
 }
 add_action( 'get_header', 'mfields_printf_test' );
 }}}

 This will produce the following output:

 https://img.skitch.com/20120310-cjfm9aiqmym87f5we647k9equh.png

 Notice how the string in {{{$good}}} is correctly escaped while the string
 in {{{$bad}}} has been "converted" to a numeric string with the value of
 "70". This is because {{{printf()}}} is intended to echo a value to the
 screen. It does have a return a value which represents the length of the
 outputted string. Since test is 70 chars long, this value is 70.

 Also notice how the string "TACO!" is echoed to the screen in large, red
 text. This proves that {{{esc_attr()}}} is bypassed by {{{printf()}}}
 allowing unescaped data to be echoed to the screen.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20476>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list