Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#22326 closed defect (bug) (fixed)

Inconsistent escaping in admin_color_scheme_picker()

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: ryan's profile ryan
Milestone: 3.5 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch commit
Focuses: Cc:



The output from admin_color_scheme_picker() inconsistently escapes variables created while looping through the $_wp_admin_css_colors global.

More Info

Unescaped variables:

  • $color (in some places)
  • $color_info->name
  • $html_color

Escaped variable:

  • $color (in one place)


  • Escape everything. This makes the most sense to me; we shouldn't expect anyone that's using wp_admin_css_color() to pass already escaped output. Note that core does not escape it's own usage here.
  • Escape nothing, and expect escaped input. This is consistent with the rest of the function, but lame and complicated.

Patch Attached

Attached patch escapes all variable screen output.

Attachments (1)

22326.patch (1.2 KB) - added by johnjamesjacoby 12 years ago.

Download all attachments as: .zip

Change History (4)

#1 @wonderboymusic
12 years ago

  • Keywords has-patch added

#2 @nacin
12 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

#3 @ryan
12 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 22375:

Consistent escaping in admin_color_scheme_picker(). Props johnjamesjacoby. fixes #22326

Note: See TracTickets for help on using tickets.