Escaping improvements
-
Having a quick look at the code, it’s missing a bunch of output escaping. For example, take the
cooke_version_render()function:value="<?php echo $options['cookie_version']; ?>">That value isn’t being escaped. It should be wrapped in
esc_attr, like so:value="<?php echo esc_attr( $options['cookie_version'] ); ?>">I’d suggest spending a couple of hours auditing the plugin everywhere you output values, and verify that everything’s escaped.
- The topic ‘Escaping improvements’ is closed to new replies.
