Changeset 42313 for branches/3.7

Timestamp:

11/29/2017 04:49:03 PM (7 years ago)

Author:

johnbillion

Message:

Hardening: Add escaping to the language attributes used on html elements.

Merges [42259] to the 3.7 branch.

Location:

branches/3.7

Files:

• . (modified) (1 prop)
• src (modified) (1 prop)
• src/wp-includes/general-template.php (modified) (1 diff)

branches/3.7/src/wp-includes/general-template.php

@@ -1928 +1928 @@
         $attributes[] = 'dir="rtl"';
 
-    if ( $lang = get_bloginfo('language') ) {
-        if ( get_option('html_type') == 'text/html' || $doctype == 'html' )
-            $attributes[] = "lang=\"$lang\"";
-
-        if ( get_option('html_type') != 'text/html' || $doctype == 'xhtml' )
-            $attributes[] = "xml:lang=\"$lang\"";
+    if ( $lang = get_bloginfo( 'language' ) ) {
+        if ( get_option( 'html_type' ) == 'text/html' || $doctype == 'html' ) {
+            $attributes[] = 'lang="' . esc_attr( $lang ) . '"';
+        }
+
+        if ( get_option( 'html_type' ) != 'text/html' || $doctype == 'xhtml' ) {
+            $attributes[] = 'xml:lang="' . esc_attr( $lang ) . '"';
+        }
     }