Bug in security fix in function column_edit_hidden_fields

  • Resolved Ov3rfly

    (@ov3rfly)


    8 months ago

    Bug in security fix in function column_edit_hidden_fields() in 5.9.0 causes incomplete/invalid output of hidden field HTML and also causes PHP warning:

    PHP Warning:  Undefined variable $html in .../wp-content/plugins/event-post/eventpost.php on line 2941

    Current code:

    function column_edit_hidden_fields($post_id, $set){
	$event = $this->retreive($post_id);
	$html .= '<div class="hidden">';
	if ($event != false){
		foreach($this->quick_edit_fields[$set] as $fieldname=>$fieldlabel){
			$html ='<span class="inline-edit-value '.$fieldname.'">'.esc_attr($event->$fieldname).'</span>';
		}
		$html = '</div>';
	}
	echo wp_kses($html, $this->kses_tags);
}

    Suggested fix, all three lines with $html are affected:

    function column_edit_hidden_fields($post_id, $set){
	$event = $this->retreive($post_id);
	$html = '<div class="hidden">';
	if ($event != false){
		foreach($this->quick_edit_fields[$set] as $fieldname=>$fieldlabel){
			$html .= '<span class="inline-edit-value '.$fieldname.'">'.esc_attr($event->$fieldname).'</span>';
		}
	}
	$html .= '</div>';
	echo wp_kses($html, $this->kses_tags);
}

    Event post 5.9.2, WordPress 6.4.3, PHP 8.1.x

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Bug in security fix in function column_edit_hidden_fields’ is closed to new replies.