Make WordPress Core

#22326 closed defect (bug) (fixed)

Inconsistent escaping in admin_color_scheme_picker()

Reported by: johnjamesjacoby Owned by: ryan
Milestone: 3.5 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch commit
Focuses: Cc:



The output from admin_color_scheme_picker() inconsistently escapes variables created while looping through the $_wp_admin_css_colors global.

More Info

Unescaped variables:

  • $color (in some places)
  • $color_info->name
  • $html_color

Escaped variable:

  • $color (in one place)


  • Escape everything. This makes the most sense to me; we shouldn't expect anyone that's using wp_admin_css_color() to pass already escaped output. Note that core does not escape it's own usage here.
  • Escape nothing, and expect escaped input. This is consistent with the rest of the function, but lame and complicated.

Patch Attached

Attached patch escapes all variable screen output.

Attachments (1)

22326.patch (1.2 KB) - added by johnjamesjacoby 18 months ago.

Download all attachments as: .zip

Change History (4)

johnjamesjacoby18 months ago

comment:1 wonderboymusic18 months ago

  • Keywords has-patch added

comment:2 nacin18 months ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

comment:3 ryan18 months ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 22375:

Consistent escaping in admin_color_scheme_picker(). Props johnjamesjacoby. fixes #22326

Note: See TracTickets for help on using tickets.