Escaping improvements
-
Having a quick look at the code, it’s missing a bunch of output escaping. For example, take the
cooke_version_render()
function:value="<?php echo $options['cookie_version']; ?>">
That value isn’t being escaped. It should be wrapped in
esc_attr
, like so:value="<?php echo esc_attr( $options['cookie_version'] ); ?>">
I’d suggest spending a couple of hours auditing the plugin everywhere you output values, and verify that everything’s escaped.
- The topic ‘Escaping improvements’ is closed to new replies.