Skip to content

Injection SVG non échappée #1

Open
Open
Injection SVG non échappée#1
@rsanchez-beapi

Description

@rsanchez-beapi
rsanchez-beapi
opened on Feb 4, 2026

Les SVG sont injectés directement dans le HTML sans sanitisation.

$block_content = $positionLeft
    ? preg_replace( '/(<a[^>]*>)(.*?)(<\/a>)/i', '$1<span class="wp-block-button__link-icon" aria-hidden="true">' . $icons[ $icon ][ 'svg' ] . '</span>$2$3', $block_content )
    : preg_replace( '/(<a[^>]*>)(.*?)(<\/a>)/i', '$1$2<span class="wp-block-button__link-icon" aria-hidden="true">' . $icons[ $icon ][ 'svg' ] . '</span>$3', $block_content );

Solution probable, utiliser wp_kse() pour sanitize avant injection

$svg_content = wp_kses(
    $icons[ $icon ]['svg'],
    array(
        'svg' => array(
            'viewbox' => true,
            'xmlns' => true,
        ),
        'path' => array(
            'd' => true,
            'fill-rule' => true,
            'clip-rule' => true,
        ),
    )
);

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions