|
rjones
|
July 11, 2012 at 9:35 am
I found this issue in the following file:
wp-content\plugins\event-espresso.3.1.21.P\includes\functions\main.php
Line 660 just lists the $question->group_name without taking into account apostrophes.
I modified the line to read:
$html .= $question->show_group_name != 0 ? “” . stripslashes($question->group_name) . “” : ”;
This fixes it.
You really should sanitize all output before displaying it. I haven’t seen this else where so I think it’s one that just slipped through the cracks.
|
|
Josh
|
July 11, 2012 at 12:34 pm
Thanks. It might be, there was some more work done on escaping apostrophes since 3.1.21, but this one might’ve slipped through. I’ll let the dev team know.
|
|
rjones
|
July 11, 2012 at 1:21 pm
Thanks for the response. I just noticed that the same issue occurs in the admin section as well – but it’s not quite as important there.
|
|
rjones
|
July 11, 2012 at 1:23 pm
Oh – and the same issue occurs in event-espresso.3.1.24.1.P as well – Just an FYI.
All that being said, the plugin is still a very great product.
|
|
Josh
|
July 11, 2012 at 1:38 pm
I’ve created a ticket for this.
|
