[wp-hackers] Plugin version number from WP.org sanitized?

Michael D Adams mikea at turbonet.com
Wed Dec 5 06:37:30 GMT 2007

On Dec 3, 2007, at 2:11 AM, Viper007Bond wrote:

> I've been playing around with the plugin update checker (writing a new
> plugin that uses the data) and noticed that the data retrieved from
> WP.orgis displayed raw:
> printf( __('There is a new version of %s available. <a  
> href="%s">Download
> version %s here</a>.'), $plugin_data['Name'], $r->url, $r- 
> >new_version );
> Does this mean WP.org automatically htmlspecialchars() the version  
> number
> and such or was this overlooked?

The data is sanitized on the WP.org server, so everything's ok there.

I agree that the client (your WP blog) should also sanitize it as  
well.  Thanks for patching!

Michael Adams

More information about the wp-hackers mailing list