Home Forums Product Support Jorgen Improper output escaping on story fields

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #4901
    Pamela Hileman

    I was doing some testing of this theme for our large multisite, and unfortunately can’t use due to some places where it is possible for users to potential inject JavaScript into the page. We do not permit JavaScript due to security concerns – so this has unfortunately left the theme un-usable for us.

    For example I can set one of the Cover Text Color options to a value like: ” #fff;</style><script>alert(‘alert’);</script><style>” and the page will execute that script. I’ve found this also applies to the Cover Lines fields, and the Maximum Font/Title fields as well. https://cl.ly/image/2Q253F2O1g12

    Ideally this output should run through an output sanitation function like esc_html or esc_js like the following: https://cl.ly/image/3K1x1i3S2220 . Also it would be helpful if the input ran through the sanatize_text_field function before saving the post meta data. https://codex.wordpress.org/Function_Reference/sanitize_text_field

    For more about output sanitation functions in WordPress please see: https://codex.wordpress.org/Data_Validation#Output_Sanitation

    If you have any questions feel free to send me e-mail at jgw5017@psu.edu.


    Nick Haskins

    Hey Jared,
    Thanks for reaching out. Judging by your screenshot, something isn’t setup correctly. You shouldn’t have any text fields. If you check console do you get any 404’s on the assets being enqueued? This is what it should look like:


    Pamela Hileman

    Thanks for the time on this Nick. I’ve responded to you via e-mail.

    Jenny @ Aesop

    Hi Pamela. I know you were speaking with Nick via email. Please let me know if you still need assistance with this topic otherwise I’ll mark it as resolved in a few days. Thanks!

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.