esc_html on $value_array and $valueAr | WordPress.org

Jesse Graupmann
(@jgraup)

7 years, 8 months ago
First off, thanks for this plugin. Its great.

Now I just noticed something that may/may not be by design. Essentially when you output the content of meta, you’re not escaping the value. For cases where your meta can contain script tags they will execute on the edit screen.

Consider the following:
```
foreach ( $value as $name_array => $value_array ) {
    echo $name_array . '  =>  ' . esc_html( $value_array );
    echo var_dump( $value_array );
}
```
Without the esc_html, the following immediately redirects you to another page. If this was on a server I don’t know a lot of people that would be able to modify and stop the code from executing.
```
<script>
    window.location = "http://www.example.com";
</script>
```
If this is by design, it is what it is. But if you’re not opposed to escaping the output I would highly recommend it.

Thanks!

https://wordpress.org/plugins/debug-meta-data/

Viewing 1 replies (of 1 total)

Plugin Author Ahmad Awais
(@mrahmadawais)

7 years, 7 months ago

It was an intentional decision by design. This plugin is strictly meant to be used over localhost. What do you think? What I can do is add a settings page to disable it and have two enable options with or with escaped data?

Viewing 1 replies (of 1 total)

The topic ‘esc_html on $value_array and $valueAr’ is closed to new replies.

Tags

esc_html

In: Plugins
1 reply
2 participants
Last reply from: Ahmad Awais
Last activity: 7 years, 7 months ago
Status: not resolved