[wp-trac] [WordPress Trac] #56701: Sanitize HTML Classes added to single row columns in WP_List_Table
WordPress Trac
noreply at wordpress.org
Sat Nov 5 21:19:53 UTC 2022
#56701: Sanitize HTML Classes added to single row columns in WP_List_Table
-------------------------------------+-----------------------------
Reporter: bananastalktome | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.1.1
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-testing | Focuses: administration
-------------------------------------+-----------------------------
Comment (by Clorith):
Thank you for the patch @bananastalktome, I had a look at it, and the
thought behind it is good, I do have some suggestions though.
Normally, what we want to do is sanitize anything that is saved, and
escape when outputting it, so in this case, we should instead of relying
on sanitize functions, use an escaping function either in the `echo`
portion of the code, or as close as we can get. Since classes are
attributes, using
[https://developer.wordpress.org/reference/functions/esc_attr/ esc_attr()]
will probably be the approach you want, so instead of introducing a new
variable, on line 1338 the class attribute that will be echoed is
generated, one could then replace the existing implementation:
`$class = "class='" . implode( ' ', $class ) . "'";`
With one that escapes, such as:
`$class = "class='" . esc_attr( implode( ' ', $class ) ) . "'";`
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56701#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list