Skip to content
Permalink
Browse files Browse the repository at this point in the history
List tables: escape user e-mails
Merges [34133] for 4.3 branch

Built from https://develop.svn.wordpress.org/branches/4.3@34137


git-svn-id: http://core.svn.wordpress.org/branches/4.3@34105 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information
nb committed Sep 14, 2015
1 parent 5fe5a0e commit f91a5fd
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion wp-admin/includes/class-wp-ms-users-list-table.php
Expand Up @@ -233,7 +233,7 @@ public function column_name( $user ) {
* @param WP_User $user The current WP_User object.
*/
public function column_email( $user ) {
echo "<a href='mailto:$user->user_email'>$user->user_email</a>";
echo "<a href='" . esc_url( "mailto:$user->user_email" ) . "'>$user->user_email</a>";
}

/**
Expand Down
2 changes: 1 addition & 1 deletion wp-admin/includes/class-wp-users-list-table.php
Expand Up @@ -435,7 +435,7 @@ public function single_row( $user_object, $style = '', $role = '', $numposts = 0
$r .= "$user_object->first_name $user_object->last_name";
break;
case 'email':
$r .= "<a href='mailto:$email'>$email</a>";
$r .= "<a href='" . esc_url( "mailto:$email" ) . "'>$email</a>";
break;
case 'role':
$r .= $role_name;
Expand Down

2 comments on commit f91a5fd

@fgeek
Copy link

@fgeek fgeek commented on f91a5fd Nov 2, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sanginovs
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nb can you give an example of JS code that could pop an alert box on this vulnerability?
I know that character such as single quote and double quote, <script>, () are not allowed and was wondering how one could bypass the previous code: $r .= "$email";

Please sign in to comment.