wordpress icon indicating copy to clipboard operation
wordpress copied to clipboard
verified publisher icon auth0

Fix error message sanitization

Open wilmersondasilva opened this issue 1 year ago • 2 comments

Description

After upgrading from 4.6.0 to 4.6.2 the error messages have started to be interpreted as text instead of HTML. To the projects that use auth0_verify_email_page this can break the entire error page. This bug was reported on issue #910.

My solution was to use wp_kses_post instead of just wp_kses to sanitize the error messages. This allows the projects to use any HTML tag already allowed in any WordPress post, so it's a safe way to sanitize the error messages.

References

Issue #910

Testing

You can test it by generating authentication errors and checking if the error message is correctly interpreted as HTML instead of text.

  • [ ] This change adds test coverage for new/changed/fixed functionality

Checklist

  • [ ] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • [ ] All active GitHub checks for tests, formatting, and security are passing
  • [ ] The correct base branch is being used, if not the default branch

wilmersondasilva avatar Aug 02 '24 20:08 wilmersondasilva

Hello - can we get someone assigned to review the issue? Thank you.

martin-mith avatar Aug 12 '24 17:08 martin-mith

I'm not sure this is going to get any traction, but I've observed the same problem, and I think the culprit is actually the esc_html($html) call here, since that is taking the existing HTML markup and escaping it as <.

So I'm not sure that this PR actually solves the problem identified in #910.

robbytx avatar May 27 '25 17:05 robbytx