[wp-trac] [WordPress Trac] #56128: Wrong escaping in 'class-wp-nav-menu-widget.php' file
WordPress Trac
noreply at wordpress.org
Fri Jul 1 19:10:32 UTC 2022
#56128: Wrong escaping in 'class-wp-nav-menu-widget.php' file
--------------------------+-----------------------------------------------
Reporter: hztyfoon | Owner: SergeyBiryukov
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 6.1
Component: Widgets | Version: 4.3
Severity: normal | Resolution:
Keywords: has-patch | Focuses: administration, coding-standards
--------------------------+-----------------------------------------------
Changes (by SergeyBiryukov):
* version: trunk => 4.3
* milestone: Awaiting Review => 6.1
Comment:
Hi there, welcome to WordPress Trac! Thanks for the ticket.
Introduced in [33488] / #32814 for WordPress 4.3, setting the version
accordingly.
It looks like `esc_url()` cannot be used here, as the URL can be a
`javascript:` link, see [source:tags/6.0/src/wp-includes/widgets/class-wp-
nav-menu-widget.php?marks=169#L164 line 169] above. Using `esc_url()`
would turn that into an empty string.
That said, we should be able to add an inline comment to expain the
`esc_attr()` usage.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56128#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list