Filippo Toso
asked 10 years ago

Hi,

I tried to add a double quote in the subject of a notification email and the script failed so show it in the admin page after the refresh.

On row 131 of inc/settings.php I see the following code:

get_option( 'dwqa_subscrible_new_question_email_subject' )

But I think it should include a call to esc_html():

esc_html(get_option( 'dwqa_subscrible_new_question_email_subject' ))

In this way the double quote will be supported.

This change is probably needed in other input text used in the script. Also a "reverse" call should be made when the emails are sent to the user to replace the HTML entities with the correct character.

Sincerely,
Filippo Toso

1 Answers
Allen
answered 10 years ago

Yes, thank you very much for your contribution. Of course all the variable that will be echo out should need and escape function, right ? :). In this case we just forgot this. We gonna fix this right away !

Powered by DW Question & Answer Pro