Permalink
Browse files

List tables: escape user e-mails

Merges [34133] for 4.3 branch

Built from https://develop.svn.wordpress.org/branches/4.3@34137


git-svn-id: http://core.svn.wordpress.org/branches/4.3@34105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
nb committed Sep 14, 2015
1 parent 5fe5a0e commit f91a5fd10ea7245e5b41e288624819a37adf290a
@@ -233,7 +233,7 @@ public function column_name( $user ) {
* @param WP_User $user The current WP_User object.
*/
public function column_email( $user ) {
echo "<a href='mailto:$user->user_email'>$user->user_email</a>";
echo "<a href='" . esc_url( "mailto:$user->user_email" ) . "'>$user->user_email</a>";
}
/**
@@ -435,7 +435,7 @@ public function single_row( $user_object, $style = '', $role = '', $numposts = 0
$r .= "$user_object->first_name $user_object->last_name";
break;
case 'email':
$r .= "<a href='mailto:$email'>$email</a>";
$r .= "<a href='" . esc_url( "mailto:$email" ) . "'>$email</a>";
break;
case 'role':
$r .= $role_name;

2 comments on commit f91a5fd

@fgeek

This comment has been minimized.

Copy link

fgeek replied Nov 2, 2015

Please use CVE-2015-7989.
CVE request: http://www.openwall.com/lists/oss-security/2015/10/26/7

@sanginovs

This comment has been minimized.

Copy link

sanginovs replied Feb 10, 2019

@nb can you give an example of JS code that could pop an alert box on this vulnerability?
I know that character such as single quote and double quote, <script>, () are not allowed and was wondering how one could bypass the previous code: $r .= "$email";

Please sign in to comment.