Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#24738 closed defect (bug) (wontfix)

id attributes populated by comment_ID() are not escaped

Reported by: kwight Owned by:
Milestone: Priority: normal
Severity: normal Version: 1.5
Component: Comments Keywords: has-patch
Focuses: Cc:


The core comment templates use comment_ID() to help populate some id attributes. comment_ID() is filterable, and should be escaped.

Attachments (2)

24738.diff (2.2 KB) - added by kwight 2 years ago.
24738.1.diff (431 bytes) - added by obenland 2 years ago.

Download all attachments as: .zip

Change History (10)

@kwight2 years ago

comment:1 @nacin2 years ago

If I had my way, get_comment_ID() wouldn't have a filter. (get_the_ID() doesn't have one either.) That said, it returns an integer. So we can/should either cast to an integer inside get_comment_ID(), or just assume that plugin authors won't return something other than an integer.

@obenland2 years ago

comment:2 @obenland2 years ago

New patch casts get_comment_ID() filter value to an integer.

comment:3 @SergeyBiryukov2 years ago

  • Version changed from trunk to 1.5

comment:4 @obenland2 years ago

  • Milestone changed from Awaiting Review to 3.7

comment:5 @nacin2 years ago

This may actually be a breaking change along the lines of #22324.

comment:6 follow-up: @kwight2 years ago

Does that mean we should go back to the original patch?

comment:7 in reply to: ↑ 6 @nacin2 years ago

Replying to kwight:

Does that mean we should go back to the original patch?

I think it's actually probably a wontfix.

comment:8 @nacin2 years ago

  • Milestone 3.7 deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.