Is there anything special about your setup? I tried reproducing this on my site and my testbed and was unable to do so. For whatever reason Breadcrumb NavXT is getting confused over what type of item that page is for. Looking more into the code, the only way I can see how this could occur is if you had an attachment to an attachment (the attachment’s parent is an attachment), is this the case in your setup?
Hi John,
I’m not sure, you can take a look here:
https://cityofwinterpark.org/?attachment_id=9281
Thank you!
After a little more digging, I was able to reproduce this. I have fixed this, and the fix will be in the next release (5.2.1) and is being tracked in this github issue: https://github.com/mtekk/Breadcrumb-NavXT/issues/107
Excellent! Don’t forget to add some XSS protection fixes on your next release if you use any of the compromised functions.
“If you’re using either add_query_arg or remove_query_arg without passing in the URL, it bases the URL it creates off of $_SERVER[‘REQUEST_URI’]. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in esc_url and you’re done. Not a hard fix, but it has to be done.”
Source: https://yoast.com/coordinated-security-release/
Do you have an ETA on the launch of 5.2.1?
Thank you!
I hope to launch it early next week, this week I have school work to contend with, and I need to run some more test cases on what may become 5.2.1.
Just an update to this, I’m punting out the release of 5.2.1, by a week, until the May 18.
In case you need a new URL to troubleshoot here you go:
https://cityofwinterpark.org/?attachment_id=9120
