WordPress.org

Make WordPress Core

Changeset 48060


Ignore:
Timestamp:
06/16/2020 04:55:45 PM (3 months ago)
Author:
whyisjake
Message:

Themes: Add additional later escaping to post_class() and body_class() functions.

Additionally, this adds a few tests to test output.

Fixes #20009.

Props mfields, scribu, azaozz, obenland, dd32, nacin, jrf, jdgrimes, garyj, whyisjake.

Location:
trunk
Files:
2 added
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/post-template.php

    r47848 r48060  
    455455function post_class( $class = '', $post_id = null ) {
    456456    // Separates classes with a single space, collates classes for post DIV.
    457     echo 'class="' . join( ' ', get_post_class( $class, $post_id ) ) . '"';
     457    echo 'class="' . esc_attr( join( ' ', get_post_class( $class, $post_id ) ) ) . '"';
    458458}
    459459
     
    591591function body_class( $class = '' ) {
    592592    // Separates class names with a single space, collates class names for body element.
    593     echo 'class="' . join( ' ', get_body_class( $class ) ) . '"';
     593    echo 'class="' . esc_attr( join( ' ', get_body_class( $class ) ) ) . '"';
    594594}
    595595
Note: See TracChangeset for help on using the changeset viewer.