Ticket #58831: 58831-missing-escaping.patch
| File 58831-missing-escaping.patch, 1.7 KB (added by , 3 months ago) |
|---|
-
wp-admin/comment.php
161 161 break; 162 162 } 163 163 if ( $message ) { 164 echo '<div id="message" class="notice notice-info"><p>' . $message. '</p></div>';164 echo '<div id="message" class="notice notice-info"><p>' . esc_html( $message ) . '</p></div>'; 165 165 } 166 166 } 167 167 ?> 168 <div id="message" class="notice notice-warning"><p><strong><?php _e( 'Caution:' ); ?></strong> <?php echo $caution_msg; ?></p></div>168 <div id="message" class="notice notice-warning"><p><strong><?php _e( 'Caution:' ); ?></strong> <?php echo esc_html( $caution_msg ); ?></p></div> 169 169 170 170 <table class="form-table comment-ays"> 171 171 <tr> … … 195 195 } else { 196 196 $post_link = esc_html( get_the_title( $post_id ) ); 197 197 } 198 echo $post_link;198 echo esc_attr( $post_link ); 199 199 200 200 if ( $comment->comment_parent ) { 201 201 $parent = get_comment( $comment->comment_parent ); … … 204 204 printf( 205 205 /* translators: %s: Comment link. */ 206 206 ' | ' . __( 'In reply to %s.' ), 207 '<a href="' . $parent_link . '">' . $name. '</a>'207 '<a href="' . esc_url( $parent_link ) . '">' . esc_html( $name ) . '</a>' 208 208 ); 209 209 } 210 210 ?> … … 223 223 get_comment_date( __( 'g:i a' ), $comment ) 224 224 ); 225 225 if ( 'approved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_post_ID ) ) { 226 echo '<a href="' . esc_url( get_comment_link( $comment ) ) . '">' . $submitted. '</a>';226 echo '<a href="' . esc_url( get_comment_link( $comment ) ) . '">' . esc_html( $submitted ) . '</a>'; 227 227 } else { 228 echo $submitted;228 echo esc_attr( $submitted ); 229 229 } 230 230 ?> 231 231 </td>