search

qtranslate / qtranslate-xt

qTranslate-XT (eXTended) - reviving qTranslate-X multilingual plugin for WordPress. A new community-driven plugin soon. Built-in modules for WooCommerce, ACF, slugs and others.
GNU General Public License v2.0
553 stars 104 forks source link

XSS Vulnerability in legacy code #1174

Open andrewwippler opened 2 years ago

andrewwippler commented 2 years ago

Has the most recent XSS flaw in qtranslate-x been fixed with this updated codebase? I saw #693, but that appears to be an older vulnerability.

As a recap of the linked URL, the legacy codebase was not properly escaping these post parameters:

Affected POST Parameters:
- Settings > Languages > Languages: language_name, language_locale, language_locale_html, language_date_format, language_time_format
- Settings > Languages > Advanced: flag_location, filter_options, lsb_style_wrap_class, lsb_style_active_class, ignore_file_types
- Settings > Languages > Integration: custom_fields, custom_field_classes, text_field_filters
herrvigg commented 2 years ago

No, nothing has been fixed. What is mentioned in #693 concerns the last official QT-X plugin in WP but since QT-XT is not in WP yet there's no update there.

If you have suggestions how to fix this let us know.