rjones
| July 11, 2012 at 9:35 am I found this issue in the following file: wp-content\plugins\event-espresso.3.1.21.P\includes\functions\main.php Line 660 just lists the $question->group_name without taking into account apostrophes. I modified the line to read:
$html .= $question->show_group_name != 0 ? “” . stripslashes($question->group_name) . “” : ”; This fixes it. You really should sanitize all output before displaying it. I haven’t seen this else where so I think it’s one that just slipped through the cracks. |
Josh
| July 11, 2012 at 12:34 pm Thanks. It might be, there was some more work done on escaping apostrophes since 3.1.21, but this one might’ve slipped through. I’ll let the dev team know. |
rjones
| July 11, 2012 at 1:21 pm Thanks for the response. I just noticed that the same issue occurs in the admin section as well – but it’s not quite as important there. |
rjones
| July 11, 2012 at 1:23 pm Oh – and the same issue occurs in event-espresso.3.1.24.1.P as well – Just an FYI. All that being said, the plugin is still a very great product. |
Josh
| July 11, 2012 at 1:38 pm I’ve created a ticket for this. |
