Is Thematic affected?

Home Forums Using Thematic ( without a child theme ) Is Thematic affected?

This topic is: not resolved

This topic contains 2 replies, has 2 voices, and was last updated by  silas 4 years, 11 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #4401


    Ref the XSS vuln referred to here I wonder if Thematic 2.0 is also affected.

    In comments-extensions.php I found this

    			$link = add_query_arg( 'cpage', $args['page'], get_permalink( $comment->comment_post_ID ) );

    Does add_query_arg need to be escaped?




    The short answer: No, Thematic is not subject to this vulnerability.

    The long answer:
    The XSS vulnerability comes from when the add_query_arg() function is called without the optional third parameter. The function then defaults to use $_SERVER['REQUEST_URI'] which is something that needs to be escaped before output.

    Since we are sending a known safe URL to the function, we are not technically required to escape the output.

    That said, I will probably add url escaping anyway. Just because it’s a good thing to do.

    Thank you for bringing the issue up for everyone’s attention. It’s great that you are paying attention to security matters.



    Thank you for the information – that is good news.

    Thank you also for continuing to support this great theme.

Viewing 3 posts - 1 through 3 (of 3 total)

The topic ‘Is Thematic affected?’ is closed to new replies.