[wp-trac] [WordPress Trac] #56655: add_menu_page - escaping $page_title, $menu_title
WordPress Trac
noreply at wordpress.org
Mon Sep 26 15:58:59 UTC 2022
#56655: add_menu_page - escaping $page_title, $menu_title
-----------------------------------------+------------------------------
Reporter: soupia18 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Menus | Version: trunk
Severity: critical | Resolution:
Keywords: needs-patch has-screenshots | Focuses: administration
-----------------------------------------+------------------------------
Comment (by soupia18):
Hello @martinkrcho - thank you for the welcome.
The issue is in /wp-admin/menu-header.php
Both menu and submenus titles are printed unescaped.
It looks like wp_kses() might be needed there - with some allowed_html
tags. E.g. the Plugins menu contains span elements.
There are 3 variables that need to be escaped there (at least with what I
have tested so far).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56655#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list