Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Admin: Escape ticket title on Discussion screen to avoid XSS.
If `run_wptexturize` is disabled, the following subject title would allow an attacker to perform cross-site scripting:
`"><script>alert('hi');</script>`
That attack has a CVSS score of 4.7 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
The rest of the output was reformatted to improve readability and make it easier to spot missing escaping functions or other problems.
Props https://hackerone.com/whitehatter for discovering and disclosing responsibly.
Fixes https://hackerone.com/reports/145086- Loading branch information