Security: escape customer/product output in the Broadcast list table#1373
Security: escape customer/product output in the Broadcast list table#1373vuckro wants to merge 1 commit into
Conversation
column_target_customers() and column_target_products() interpolated customer display names, email addresses and product names straight into HTML — including into single-quoted aria-label attributes. A customer controls their own display name, so a crafted name (display names are not HTML-escaped by WordPress on save and may contain quotes) is stored and then rendered unescaped when a network admin views the Broadcasts list, yielding stored XSS in the network-admin context. Escape each interpolated value for its context with esc_url() for links, esc_attr() for attribute values and esc_html() for text nodes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 29 minutes and 17 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
Summary
column_target_customers()andcolumn_target_products()interpolated customerdisplay names, email addresses and product names directly into HTML — including
into single-quoted
aria-labelattributes. A customer controls their owndisplay name (WordPress does not HTML-escape display names on save), so a crafted
name is stored and then rendered unescaped when a network admin views the
Broadcasts list — a stored XSS that fires in the network-admin context.
Changes
Escape each interpolated value for its context:
esc_url()for links,esc_attr()for attribute values,esc_html()for text nodes.Compatibility
Output-only change; rendered markup is identical for non-malicious data.
Part of a small series of focused security hardening PRs. Full technical detail
is available privately to the maintainers on request (coordinated disclosure).