[wp-trac] [WordPress Trac] #62436: Add proper escaping for dynamic values in login template
WordPress Trac
noreply at wordpress.org
Mon Nov 18 18:42:51 UTC 2024
#62436: Add proper escaping for dynamic values in login template
--------------------------+-------------------------------
Reporter: im3dabasia1 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.8
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: coding-standards
--------------------------+-------------------------------
Comment (by sabernhardt):
#58305 (plus #59257 and #61125) already proposed escaping
`$login_header_text` with `esc_html()`, and the ticket was closed. If this
uses `wp_kses()` instead, it could allow `img` elements because some sites
might remove the `text-indent` to have an image instead of the background.
The `$title` variable stands the first parameter of the `login_header()`
function ('Log In' by default). I did not think escaping the variable was
necessary with the Core translatable strings, but
[https://wpdirectory.net/search/01JD01WE8QR13F7G73XRDMBVNG some plugins
use login_header()] too. A few of them, such as Google Authenticator, even
have `esc_html__()` in the parameter.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62436#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list