[wp-hackers] Plugin version number from WP.org sanitized?
Michael D Adams
mikea at turbonet.com
Wed Dec 5 06:37:30 GMT 2007
On Dec 3, 2007, at 2:11 AM, Viper007Bond wrote:
> I've been playing around with the plugin update checker (writing a new
> plugin that uses the data) and noticed that the data retrieved from
> WP.orgis displayed raw:
>
> printf( __('There is a new version of %s available. <a
> href="%s">Download
> version %s here</a>.'), $plugin_data['Name'], $r->url, $r-
> >new_version );
>
> Does this mean WP.org automatically htmlspecialchars() the version
> number
> and such or was this overlooked?
The data is sanitized on the WP.org server, so everything's ok there.
I agree that the client (your WP blog) should also sanitize it as
well. Thanks for patching!
Michael Adams
More information about the wp-hackers
mailing list