Closed alexmigf closed 2 years ago
Due to a notification from the WordPress Plugin Directory team, we decided to escape missing query args on plugin urls.
Slack discussion: https://wpovernight.slack.com/archives/C04CH2B9W/p1653986899006649
An example of a vulnerable use: echo add_query_arg( 'addon', $key );
echo add_query_arg( 'addon', $key );
That needs to be wrapped with esc_url: echo esc_url( add_query_arg( 'addon', $key ) );
echo esc_url( add_query_arg( 'addon', $key ) );
In order to properly secure your plugin(s) you must do the following:
esc_url()
esc_url_raw()
wp_remote_get()
add_query_arg()
remove_query_arg()
Due to a notification from the WordPress Plugin Directory team, we decided to escape missing query args on plugin urls.
Slack discussion: https://wpovernight.slack.com/archives/C04CH2B9W/p1653986899006649
An example of a vulnerable use:
echo add_query_arg( 'addon', $key );That needs to be wrapped with esc_url:
echo esc_url( add_query_arg( 'addon', $key ) );In order to properly secure your plugin(s) you must do the following:
esc_url()when outputting them in pagesesc_url_raw()when outputting them in HTTP headers (or as part of a HTTP request, e.g inwp_remote_get())add_query_arg()andremove_query_arg()are properly escaped when output, and not just the ones reported here