[wp-trac] [WordPress Trac] #12781: Minor XSS issue in Twenty Ten theme
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 31 01:43:00 UTC 2010
#12781: Minor XSS issue in Twenty Ten theme
--------------------------+-------------------------------------------------
Reporter: Viper007Bond | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.0
Component: Security | Version: 3.0
Severity: major | Keywords:
--------------------------+-------------------------------------------------
This is in Twenty Ten's `search.php`:
{{{
<h1 class="page-title"><?php printf( __( 'Search Results for: %s',
'twentyten' ), '<span>' . get_search_query() . '</span>' ); ?></h1>
}}}
`get_search_query()` does not feature any sanitization, so the search
string is displayed raw.
To show the vulnerability, write a post with the following content and
publish it:
{{{
<a href="http://wordpress.org/">This is a link</a>
}}}
Now enter that same string into the search box. The post will show up in
the results as expected, but you'll get `Search Results for: This is a
link` (which is clickable) instead of the actual search string.
Luckily Twenty Ten shows "Nothing Found" if there's no results, so this
requires the string to be located in a post.
Still needs to be fixed though. See attached patch.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12781>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list