Opened 7 months ago

Closed 7 months ago

#22326 closed defect (bug) (fixed)

Inconsistent escaping in admin_color_scheme_picker()

Reported by: johnjamesjacoby Owned by: ryan
Priority: normal Milestone: 3.5
Component: Administration Version:
Severity: normal Keywords: has-patch commit
Cc:

Description

Problem

The output from admin_color_scheme_picker() inconsistently escapes variables created while looping through the $_wp_admin_css_colors global.

More Info

Unescaped variables:

  • $color (in some places)
  • $color_info->name
  • $html_color

Escaped variable:

  • $color (in one place)

Solutions

  • Escape everything. This makes the most sense to me; we shouldn't expect anyone that's using wp_admin_css_color() to pass already escaped output. Note that core does not escape it's own usage here.
  • Escape nothing, and expect escaped input. This is consistent with the rest of the function, but lame and complicated.

Patch Attached

Attached patch escapes all variable screen output.

Attachments (1)

22326.patch (1.2 KB) - added by johnjamesjacoby 7 months ago.

Download all attachments as: .zip

Change History (4)

johnjamesjacoby7 months ago

comment:1   wonderboymusic7 months ago

  • Keywords has-patch added

comment:2   nacin7 months ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

comment:3   ryan7 months ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 22375:

Consistent escaping in admin_color_scheme_picker(). Props johnjamesjacoby. fixes #22326

Note: See TracTickets for help on using tickets.