You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To fix, just have Fieldmanager_Util_Validation:: format_value do an esc_js for strings. Since strval isn't actually doing anything useful here you can keep it or let it go — it's just turning the value into a string if it happens to be an integer or something. Strings can contain bad javascript though, so we have to escape it.
You're outputting a potentially unescaped value from the database in javascript at: https://github.com/alleyinteractive/wordpress-fieldmanager/blob/master/php/util/class-fieldmanager-util-validation.php#L260
To fix, just have
Fieldmanager_Util_Validation:: format_value
do anesc_js
for strings. Sincestrval
isn't actually doing anything useful here you can keep it or let it go — it's just turning the value into a string if it happens to be an integer or something. Strings can contain bad javascript though, so we have to escape it.https://github.com/alleyinteractive/wordpress-fieldmanager/blob/master/php/util/class-fieldmanager-util-validation.php#L311
If it's a boolean or integer we can assume it's safe :)
The text was updated successfully, but these errors were encountered: