[wp-hackers] Plugin version number from WP.org sanitized?

Viper007Bond viper at viper007bond.com
Mon Dec 3 10:11:06 GMT 2007

I've been playing around with the plugin update checker (writing a new
plugin that uses the data) and noticed that the data retrieved from
WP.orgis displayed raw:

printf( __('There is a new version of %s available. <a href="%s">Download
version %s here</a>.'), $plugin_data['Name'], $r->url, $r->new_version );

Does this mean WP.org automatically htmlspecialchars() the version number
and such or was this overlooked?

What if I commit a new version of my plugin and put this as the version
number: 1.2.3<script>alert('omfghax');</script>

The same goes for plugin titles.

Wondering both for my plugin's sake and for security's sake.

Viper007Bond | http://www.viper007bond.com/

More information about the wp-hackers mailing list