- Does not escape all HTML (for example the Template Name field) (capability required appears to be manage_network)
- For some reason it attempts to strip SCRIPT tags out of template and category descriptions with regular expressions (blogtemplatesfiles/admin/categories_menu.php line 138, blogtemplatesfiles/admin/main_menu.php line 417). It doesn’t work because you can just use `<img onerror=”alert(3)” src=””>` instead. It’s unclear what it’s attempting to prevent
- No other issues found
Read more about our failure criteria.
|Lack of proper output escaping|
We conduct these inspections for our own use, and publish them in the hope that they may be useful to others. We don't guarantee that these findings are correct.
Please read this site's terms of service before taking any action based on information published here.
- Tom Adams
- Last revised
- December 22, 2016
- Versions tested
- Plugin homepage
- New Blog Templates
- Other versions