search

FacetWP / use-child-theme

A WordPress class to ensure that a child theme is installed and active
65 stars 21 forks source link

Prevent XSS Vulnerability #8

Closed emiluzelac closed 8 years ago

emiluzelac commented 8 years ago

I would recommend escaping the following in: https://github.com/FacetWP/use-child-theme/blob/master/use-child-theme.php#L52-L78

More details:

There's also another method as well: https://github.com/Automattic/theme-tools/blob/master/jetpack-dependency-script/plugin-enhancements.php#L234-L269

P.S. I had bit more time today :)

mgibbs189 commented 8 years ago

@emiluzelac Thanks for submitting.

What part specifically is vulnerable to XSS? There really isn't any user inputs in the code you highlighted. $this->theme->get( 'Name' ) is coming directly from WP...

emiluzelac commented 8 years ago

Sure thing @mgibbs189 it's right here: href="javascript:;" and it's .on('click' as well.

mgibbs189 commented 8 years ago

href="javascript:;" just tells the browser not to do anything on click.

It's the same as href="#", but doesn't scroll the page to the top.

emiluzelac commented 8 years ago

Sorry for writing and deleting earlier. I see what do you mean now.