WordPress.org

Make WordPress Core

Changeset 51115


Ignore:
Timestamp:
06/08/2021 10:20:42 PM (6 months ago)
Author:
whyisjake
Message:

Administration: Escape the values of data-colname.

Adds a esc_attr wrapper to strip_all_tags.

See [33016].

Fixes #40401.

Props rellect, SergeyBiryukov, hareesh-pillai, audrasjb.

Location:
trunk/src/wp-admin/includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-list-table.php

    r50517 r51115  
    14261426
    14271427            // Comments column uses HTML in the display name with screen reader text.
    1428             // Instead of using esc_attr(), we strip tags to get closer to a user-friendly string.
    1429             $data = 'data-colname="' . wp_strip_all_tags( $column_display_name ) . '"';
     1428            // Strip tags to get closer to a user-friendly string.
     1429            $data = 'data-colname="' . esc_attr( wp_strip_all_tags( $column_display_name ) ) . '"';
    14301430
    14311431            $attributes = "class='$classes' $data";
  • trunk/src/wp-admin/includes/class-wp-users-list-table.php

    r50229 r51115  
    532532            }
    533533
    534             $data = 'data-colname="' . wp_strip_all_tags( $column_display_name ) . '"';
     534            $data = 'data-colname="' . esc_attr( wp_strip_all_tags( $column_display_name ) ) . '"';
    535535
    536536            $attributes = "class='$classes' $data";
Note: See TracChangeset for help on using the changeset viewer.