[wp-trac] [WordPress Trac] #61125: Many strings or URLs lack proper escaping.
WordPress Trac
noreply at wordpress.org
Fri Oct 4 18:57:31 UTC 2024
#61125: Many strings or URLs lack proper escaping.
---------------------------+-------------------------------
Reporter: yagniksangani | Owner: audrasjb
Type: enhancement | Status: reviewing
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: minor | Resolution:
Keywords: has-patch | Focuses: coding-standards
---------------------------+-------------------------------
Changes (by sabernhardt):
* keywords: has-patch changes-requested => has-patch
Comment:
I agree to escape the filtered title tag contents from `$login_title`.
Regarding other changes proposed in some-feature.61125.diff:
- [57625] already addressed escaping output in `wp-activate.php`.
- I do not think the `gmdate()` function needs any escaping (in `wp-links-
opml.php`).
- When I edited existing links, with the Link Manager plugin activated,
the `updated` value remained blank space. However, if `wp-links-opml.php`
ever prints something that needs escaping in that attribute, it should use
`echo esc_attr( $bookmark->link_updated );` instead of `esc_html`.
- As mentioned in comment:2, #58305 purposely did not escape
`$login_header_text`.
I also had planned to add `esc_html` for the `$title` variable in the new
[https://core.trac.wordpress.org/changeset/59138/trunk/src/wp-login.php
visually hidden login heading], but I did not find a need to escape the
translatable strings.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61125#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list