Make WordPress Core


Ignore:
Timestamp:
11/15/2019 11:22:19 PM (5 years ago)
Author:
whyisjake
Message:

Toolbar: Properly escape the onclick attribute.

The onclick attribute was being escaped twice, once with esc_js and again with esc_attr.

Fixes #48117.
Props tmatsuur, dinhtungdu.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-admin-bar.php

    r46678 r46734  
    551551            $attributes = array( 'onclick', 'target', 'title', 'rel', 'lang', 'dir' );
    552552            echo "<a class='ab-item'$aria_attributes href='" . esc_url( $node->href ) . "'";
    553             if ( ! empty( $node->meta['onclick'] ) ) {
    554                 echo ' onclick="' . esc_js( $node->meta['onclick'] ) . '"';
    555             }
    556553        } else {
    557554            $attributes = array( 'onclick', 'target', 'title', 'rel', 'lang', 'dir' );
     
    560557
    561558        foreach ( $attributes as $attribute ) {
    562             if ( ! empty( $node->meta[ $attribute ] ) ) {
     559            if ( empty( $node->meta[ $attribute ] ) ) {
     560                continue;
     561            }
     562
     563            if ( 'onclick' === $attribute ) {
     564                echo " $attribute='" . esc_js( $node->meta[ $attribute ] ) . "'";
     565            } else {
    563566                echo " $attribute='" . esc_attr( $node->meta[ $attribute ] ) . "'";
    564567            }
Note: See TracChangeset for help on using the changeset viewer.