[wp-trac] [WordPress Trac] #56701: Sanitize HTML Classes added to single row columns in WP_List_Table
WordPress Trac
noreply at wordpress.org
Fri Sep 30 15:17:48 UTC 2022
#56701: Sanitize HTML Classes added to single row columns in WP_List_Table
-----------------------------+-----------------------------
Reporter: bananastalktome | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords: has-patch
Focuses: |
-----------------------------+-----------------------------
Currently, class names added to each rows columns in `WP_List_Table` in
`single_row_columns` are not sanitized, and as such can break HTML output.
For example, adding a filter to include a new column on the Sites page of
a Network install:
{{{#!php
<?php
add_filter('manage_sites-network_columns', function($columns) {
$columns["'><script>alert('Hello!')</script>"] = 'Hello?';
return $columns;
});
}}}
does, in fact, output a script tag which is evaluated for each row being
shown.
I don't think this is just an issue for the Network Sites page, I think
any pages including list table classes extending `WP_List_Table` are
impacted.
Attached (will be) a patch that uses `sanitize_html_class` on the
`$column_name`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56701>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list