Improve sanitization and add escaping for anchor_class and anchor_text

kienstra / widget-live-editor

Plugin on WordPress.org. Edit widgets as you see them, with an image, text, and a link.

http://wordpress.org/plugins/widget-live-editor

0 stars 1 forks source link

Improve sanitization and add escaping for anchor_class and anchor_text #1

Closed westonruter closed 9 years ago

westonruter commented 9 years ago

strip_tags is not sufficient. Someone could enter double quote character and add entirely new attributes to the input element, or simply break the markup. So esc_attr is needed in both cases.

widget-live-editor_wle-options_php_at_master_ _kienstra_widget-live-editor

https://github.com/kienstra/widget-live-editor/blob/a1164d0c68bf141a6fb780a072854a7c1039f8fc/includes/wle-options.php#L38-L64

kienstra commented 9 years ago

Thanks, Weston. I'll change strip_tags() to esc_attr() I will also change the spaces to tabs.

westonruter commented 9 years ago

Actually, it's fine to leave strip_tags where they are. But adding esc_attr is the key thing to add, and should be right where it does echo. http://vip.wordpress.com/documentation/best-practices/security/validating-sanitizing-escaping/#always-escape-late

kienstra commented 9 years ago

Thank you, I'll add the esc_attr call at the echo line.

westonruter commented 9 years ago

:+1: