Authenticated(Editor+) Stored Cross-Site Scripting

samiahmedsiddiqui · Aug 20, 2024 · caf4d6c · caf4d6c
1 parent 1572bdc
commit caf4d6c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/admin/class-custom-permalinks-post-types-table.php b/admin/class-custom-permalinks-post-types-table.php
@@ -239,12 +239,13 @@ protected function column_title( $item ) {
 		}
 
 		$edit_link            = get_edit_post_link( $item['ID'] );
-		$title_with_edit_link = $post_title;
+		$title_with_edit_link = esc_html( $post_title );
 		if ( ! empty( $edit_link ) ) {
 			$title_with_edit_link = sprintf(
-				'<a href="%s" target="_blank" title="' . esc_html__( 'Edit ', 'custom-permalinks' ) . ' ' . $post_title . '">%s</a>',
+				'<a href="%1s" target="_blank" title="' . esc_attr__( 'Edit', 'custom-permalinks' ) . ' %2s">%3s</a>',
 				$edit_link,
-				$post_title
+				esc_attr( $post_title ),
+				$title_with_edit_link
 			);
 		}
 

diff --git a/admin/class-custom-permalinks-taxonomies-table.php b/admin/class-custom-permalinks-taxonomies-table.php
@@ -249,12 +249,13 @@ protected function column_title( $item ) {
 			}
 		}
 
-		$title_with_edit_link = $term_title;
+		$title_with_edit_link = esc_html( $term_title );
 		if ( ! empty( $edit_link ) ) {
 			$title_with_edit_link = sprintf(
-				'<a href="%s" target="_blank" title="' . esc_html__( 'Edit ', 'custom-permalinks' ) . ' ' . $term_title . '">%s</a>',
+				'<a href="%1s" target="_blank" title="' . esc_attr__( 'Edit', 'custom-permalinks' ) . ' %2s">%3s</a>',
 				$edit_link,
-				$term_title
+				esc_attr( $term_title ),
+				$title_with_edit_link
 			);
 		}