Make WordPress Core


Ignore:
Timestamp:
11/18/2022 03:19:07 PM (2 years ago)
Author:
SergeyBiryukov
Message:

Users: Add missing escaping on the Add New User screen.

While the $type and $label variables are set to values that do not currently require escaping, this may change in the future, so it is preferable to add the escaping as a defensive coding measure.

Follow-up to [16294], [29030].

Props monzuralam, rudlinkon, hztyfoon, peterwilsoncc.
Fixes #57133.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/user-new.php

    r53111 r54857  
    443443<table class="form-table" role="presentation">
    444444    <tr class="form-field form-required">
    445         <th scope="row"><label for="adduser-email"><?php echo $label; ?></label></th>
    446         <td><input name="email" type="<?php echo $type; ?>" id="adduser-email" class="wp-suggest-user" value="" /></td>
     445        <th scope="row"><label for="adduser-email"><?php echo esc_html( $label ); ?></label></th>
     446        <td><input name="email" type="<?php echo esc_attr( $type ); ?>" id="adduser-email" class="wp-suggest-user" value="" /></td>
    447447    </tr>
    448448    <tr class="form-field">
Note: See TracChangeset for help on using the changeset viewer.