Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Potential XSS issue with add_query_arg() and remove_query_arg() #39
As you may know quite recently there was news that WordPress plugins could suffer from a XSS vulnerability if they use
Checking your source it seems the functions are used in the following lines of feedwordpress.php:
I am not actually sure if FeedWordPress is vulnerable but I think it should be looked at and
I don't think so. As I understand it the two functions were never meant to escape their inputs / outputs. It was a bug in the documentation which led plugin developers to falsely assume it does and resulted in implementing this security hole unknowningly.
I am by no means a WordPress or plugin developer, so take this with two spoons of salt and pepper!... I don't actually know what's happening with
So basically adding ´esc_url()´ every time the URL might be printed somewhere and adding ´esc_url_raw()´ every time the URL is used for a header.