Hi,
I tried to add a double quote in the subject of a notification email and the script failed so show it in the admin page after the refresh.
On row 131 of inc/settings.php I see the following code:
get_option( 'dwqa_subscrible_new_question_email_subject' )
But I think it should include a call to esc_html():
esc_html(get_option( 'dwqa_subscrible_new_question_email_subject' ))
In this way the double quote will be supported.
This change is probably needed in other input text used in the script. Also a "reverse" call should be made when the emails are sent to the user to replace the HTML entities with the correct character.
Sincerely,
Filippo Toso
Yes, thank you very much for your contribution. Of course all the variable that will be echo
out should need and escape function, right ? :). In this case we just forgot this. We gonna fix this right away !
Please login or Register to submit your answer