Make WordPress Core


Ignore:
Timestamp:
06/08/2021 10:20:42 PM (3 years ago)
Author:
whyisjake
Message:

Administration: Escape the values of data-colname.

Adds a esc_attr wrapper to strip_all_tags.

See [33016].

Fixes #40401.

Props rellect, SergeyBiryukov, hareesh-pillai, audrasjb.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-users-list-table.php

    r50229 r51115  
    532532            }
    533533
    534             $data = 'data-colname="' . wp_strip_all_tags( $column_display_name ) . '"';
     534            $data = 'data-colname="' . esc_attr( wp_strip_all_tags( $column_display_name ) ) . '"';
    535535
    536536            $attributes = "class='$classes' $data";
Note: See TracChangeset for help on using the changeset viewer.