[wp-trac] [WordPress Trac] #56655: add_menu_page - escaping $page_title, $menu_title
WordPress Trac
noreply at wordpress.org
Wed Nov 9 03:00:19 UTC 2022
#56655: add_menu_page - escaping $page_title, $menu_title
-------------------------------------------------+-------------------------
Reporter: soupia18 | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Menus | Version:
Severity: normal | Resolution: wontfix
Keywords: has-screenshots has-patch 2nd- | Focuses:
opinion | administration
-------------------------------------------------+-------------------------
Changes (by peterwilsoncc):
* status: new => closed
* resolution: => wontfix
* milestone: 6.1.1 =>
Comment:
> Can they be entered by (unidentified) users or are they coming from
plugins?
The intent the function is that the strings come from plugins rather than
users.
If a plugin developer creates a plugin that uses this function based on
user input, then the plugin becomes responsible for sanitizing the user
input appropriately. WordPress takes a similar approach with custom post
type labels.
----
I think this can be closed without a fix.
Anything that requires PHP to exploit (for want of a better word) is
generally considered fine as PHP code has full access to the WordPress
install by definition. Anyone wishing to do something nasty via PHP can
find far more suitable APIs to use to do far nastier things.
The plugin architectures flexibility has it's upsides and it's downsides.
Thanks for your report.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56655#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list