[wp-trac] [WordPress Trac] #59257: Missing escaping function for H1 in wp-login.php
WordPress Trac
noreply at wordpress.org
Thu Aug 31 17:56:23 UTC 2023
#59257: Missing escaping function for H1 in wp-login.php
------------------------------------+-----------------------------
Reporter: khokansardar | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 6.3.1
Severity: normal | Keywords:
Focuses: coding-standards |
------------------------------------+-----------------------------
In wp-login.php file, there is missing escaping function for login header
text -
{{{
<h1><a href="<?php echo esc_url( $login_header_url ); ?>"><?php echo
$login_header_text; ?></a></h1>
}}}
This $login_header_text has below filter to modify the text, which may
cause unexpected security issue.
{{{#!php
<?php
/**
* Filters the link text of the header logo above the login form.
*
* @since 5.2.0
*
* @param string $login_header_text The login header logo link
text.
*/
$login_header_text = apply_filters( 'login_headertext',
$login_header_text );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59257>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list