WordPress.org

Make WordPress Core

Ticket #35032: 35032.patch

File 35032.patch, 4.1 KB (added by khag7, 5 years ago)

Patch to use sanitize_key in place of sanitize_html_class and esc_attr for plugin slugs as values of data-slug attributes

  • class-wp-plugin-install-list-table.php

     
    454454                                        case 'install':
    455455                                                if ( $status['url'] ) {
    456456                                                        /* translators: 1: Plugin name and version. */
    457                                                         $action_links[] = '<a class="install-now button" data-slug="' . esc_attr( $plugin['slug'] ) . '" href="' . esc_url( $status['url'] ) . '" aria-label="' . esc_attr( sprintf( __( 'Install %s now' ), $name ) ) . '" data-name="' . esc_attr( $name ) . '">' . __( 'Install Now' ) . '</a>';
     457                                                        $action_links[] = '<a class="install-now button" data-slug="' . sanitize_key( $plugin['slug'] ) . '" href="' . esc_url( $status['url'] ) . '" aria-label="' . esc_attr( sprintf( __( 'Install %s now' ), $name ) ) . '" data-name="' . esc_attr( $name ) . '">' . __( 'Install Now' ) . '</a>';
    458458                                                }
    459459
    460460                                                break;
     
    461461                                        case 'update_available':
    462462                                                if ( $status['url'] ) {
    463463                                                        /* translators: 1: Plugin name and version */
    464                                                         $action_links[] = '<a class="update-now button" data-plugin="' . esc_attr( $status['file'] ) . '" data-slug="' . esc_attr( $plugin['slug'] ) . '" href="' . esc_url( $status['url'] ) . '" aria-label="' . esc_attr( sprintf( __( 'Update %s now' ), $name ) ) . '" data-name="' . esc_attr( $name ) . '">' . __( 'Update Now' ) . '</a>';
     464                                                        $action_links[] = '<a class="update-now button" data-plugin="' . esc_attr( $status['file'] ) . '" data-slug="' . sanitize_key( $plugin['slug'] ) . '" href="' . esc_url( $status['url'] ) . '" aria-label="' . esc_attr( sprintf( __( 'Update %s now' ), $name ) ) . '" data-name="' . esc_attr( $name ) . '">' . __( 'Update Now' ) . '</a>';
    465465                                                }
    466466
    467467                                                break;
     
    501501                        $date_format = __( 'M j, Y @ H:i' );
    502502                        $last_updated_timestamp = strtotime( $plugin['last_updated'] );
    503503                ?>
    504                 <div class="plugin-card plugin-card-<?php echo sanitize_html_class( $plugin['slug'] ); ?>">
     504                <div class="plugin-card plugin-card-<?php echo sanitize_key( $plugin['slug'] ); ?>">
    505505                        <div class="plugin-card-top">
    506506                                <div class="name column-name">
    507507                                        <h3>
  • class-wp-plugins-list-table.php

     
    699699                if ( ! empty( $totals['upgrade'] ) && ! empty( $plugin_data['update'] ) )
    700700                        $class .= ' update';
    701701
    702                 $plugin_slug = ( isset( $plugin_data['slug'] ) ) ? $plugin_data['slug'] : '';
     702                //using sanitize_key to match the same sanitization used by the ajax handler
     703                $plugin_slug = ( isset( $plugin_data['slug'] ) ) ? sanitize_key( $plugin_data['slug'] ) : '';
    703704                printf( "<tr id='%s' class='%s' data-slug='%s'>",
    704705                        $id,
    705706                        $class,
  • update.php

     
    335335                        $active_class = is_plugin_active( $file ) ? ' active' : '';
    336336                }
    337337
    338                 echo '<tr class="plugin-update-tr' . $active_class . '" id="' . esc_attr( $r->slug . '-update' ) . '" data-slug="' . esc_attr( $r->slug ) . '" data-plugin="' . esc_attr( $file ) . '"><td colspan="' . esc_attr( $wp_list_table->get_column_count() ) . '" class="plugin-update colspanchange"><div class="update-message">';
     338                //using sanitize_key below instead of esc_attr for the slug because it has to match the same sanitize function used by the ajax handler that will receive this slug
     339                echo '<tr class="plugin-update-tr' . $active_class . '" id="' . sanitize_key( $r->slug . '-update' ) . '" data-slug="' . sanitize_key( $r->slug ) . '" data-plugin="' . esc_attr( $file ) . '"><td colspan="' . esc_attr( $wp_list_table->get_column_count() ) . '" class="plugin-update colspanchange"><div class="update-message">';
    339340
    340341                if ( ! current_user_can( 'update_plugins' ) ) {
    341342                        printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s details</a>.'), $plugin_name, esc_url($details_url), esc_attr($plugin_name), $r->new_version );