Skip to content
Permalink
Browse files Browse the repository at this point in the history
Admin: Escape ticket title on Discussion screen to avoid XSS.
If `run_wptexturize` is disabled, the following subject title would allow an attacker to perform cross-site scripting:

`"><script>alert('hi');</script>`

That attack has a CVSS score of 4.7 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

The rest of the output was reformatted to improve readability and make it easier to spot missing escaping functions or other problems.

Props https://hackerone.com/whitehatter for discovering and disclosing responsibly.

Fixes https://hackerone.com/reports/145086
  • Loading branch information
iandunn committed Jun 20, 2016
1 parent 71a6053 commit c08d376
Showing 1 changed file with 17 additions and 4 deletions.
21 changes: 17 additions & 4 deletions classes/class-supportflow-admin.php
Expand Up @@ -899,12 +899,25 @@ public function render_meta_box_details_actions() {
* A box that appears at the top
*/
public function meta_box_subject() {
?>

<h4><?php _e( 'Subject', 'supportflow' ); ?></h4>

$placeholder = __( 'What is your conversation about?', 'supportflow' );
echo '<h4>' . __( 'Subject', 'supportflow' ) . '</h4>';
echo '<input type="text" id="subject" name="post_title" class="sf_autosave" placeholder="' . $placeholder . '" value="' . get_the_title() . '" autocomplete="off" />';
echo '<p class="description">' . __( 'Please describe what this ticket is about in several words', 'supportflow' ) . '</p>';
<input
type="text"
id="subject"
name="post_title"
class="sf_autosave"
placeholder="<?php _e( 'What is your conversation about?', 'supportflow' ); ?>"
value="<?php echo esc_attr( get_the_title() ); ?>"
autocomplete="off"
/>

<p class="description">
<?php _e( 'Please describe what this ticket is about in several words', 'supportflow' ) ?>
</p>

<?php
}

/**
Expand Down

0 comments on commit c08d376

Please sign in to comment.