Little bug spotted
-
Hello, inside
/includes/admin/fields/fed-form-singleline.php, the value attribute is not escaped. It breaks inputs containing quotes. Please changevalue='%s'andplaceholder='%s', usingesc_attr($value).return sprintf(
"<input type='text' name='%s' value='%s' class='%s' placeholder='%s' %s %s %s %s %s />",
$name,
esc_attr( $value ), // <--- Here it's bugging without esc_attr
$class,
esc_attr( $placeholder ), // Here too probably
$disabled,
$extra,
$id,
$readonly,
$required
);
You must be logged in to reply to this topic.
