WordPress.org
Get WordPress

Make WordPress Core

Changeset 59831


Ignore:
Timestamp:
02/17/2025 04:23:52 PM (11 months ago)
Author:
johnbillion
Message:

Security: Remove use of innerHTML in the the_block_template_skip_link() function.

There is no need to support HTML in this string and switching to innerText helps facilitate a more restrictive Content Security Policy.

Props micromadness, sabernhardt

Fixes #58765

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/theme-templates.php

    r59559 r59831  
    206206        skipLink.id = 'wp-skip-link';
    207207        skipLink.href = '#' + skipLinkTargetID;
    208         skipLink.innerHTML = '<?php /* translators: Hidden accessibility text. */ esc_html_e( 'Skip to content' ); ?>';
     208        skipLink.innerText = '<?php /* translators: Hidden accessibility text. Do not use HTML entities (&nbsp;, etc.). */ esc_html_e( 'Skip to content' ); ?>';
    209209
    210210        // Inject the skip link.
Note: See TracChangeset for help on using the changeset viewer.