Opened 4 months ago

Closed 3 months ago

Last modified 3 months ago

#23334 closed defect (bug) (fixed)

Use the proper function to escape WP.org links

Reported by: SergeyBiryukov Owned by: SergeyBiryukov
Priority: normal Milestone: 3.6
Component: Formatting Version:
Severity: normal Keywords: has-patch
Cc:

Description

We use esc_attr_e() in some places:

<a href="<?php esc_attr_e( 'http://wordpress.org/' ); ?>"><?php _e( 'WordPress' ); ?></a>

esc_url( __( 'http://wordpress.org/' ) ) should be used instead.

Attachments (1)

23334.patch (4.0 KB) - added by SergeyBiryukov 4 months ago.

Download all attachments as: .zip

Change History (5)

SergeyBiryukov4 months ago

comment:2   DrewAPicture4 months ago

+1, 23334.patch looks good to me.

comment:3   SergeyBiryukov3 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 23413:

Use correct escaping function. fixes #23334.

comment:4   SergeyBiryukov3 months ago

In 23455:

Revert to esc_attr_e() in setup-config.php to prevent a fatal error.
kses.php is not loaded at this point, so esc_url() cannot be used.

props csixty4, JustinSainton.
fixes #23516. see #23334.

Note: See TracTickets for help on using tickets.