Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#24738 closed defect (bug) (wontfix)

id attributes populated by comment_ID() are not escaped

Reported by: kwight Owned by:
Milestone: Priority: normal
Severity: normal Version: 1.5
Component: Comments Keywords: has-patch
Focuses: Cc:


The core comment templates use comment_ID() to help populate some id attributes. comment_ID() is filterable, and should be escaped.

Attachments (2)

24738.diff (2.2 KB) - added by kwight 5 years ago.
24738.1.diff (431 bytes) - added by obenland 5 years ago.

Download all attachments as: .zip

Change History (10)

5 years ago

#1 @nacin
5 years ago

If I had my way, get_comment_ID() wouldn't have a filter. (get_the_ID() doesn't have one either.) That said, it returns an integer. So we can/should either cast to an integer inside get_comment_ID(), or just assume that plugin authors won't return something other than an integer.

5 years ago

#2 @obenland
5 years ago

New patch casts get_comment_ID() filter value to an integer.

#3 @SergeyBiryukov
5 years ago

  • Version changed from trunk to 1.5

#4 @obenland
5 years ago

  • Milestone changed from Awaiting Review to 3.7

#5 @nacin
5 years ago

This may actually be a breaking change along the lines of #22324.

#6 follow-up: @kwight
5 years ago

Does that mean we should go back to the original patch?

#7 in reply to: ↑ 6 @nacin
5 years ago

Replying to kwight:

Does that mean we should go back to the original patch?

I think it's actually probably a wontfix.

#8 @nacin
5 years ago

  • Milestone 3.7 deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.