WordPress.org

Make WordPress Core

#24738 closed defect (bug) (wontfix)

id attributes populated by comment_ID() are not escaped

Reported by: kwight Owned by:
Milestone: Priority: normal
Severity: normal Version: 1.5
Component: Comments Keywords: has-patch
Focuses: Cc:

Description

The core comment templates use comment_ID() to help populate some id attributes. comment_ID() is filterable, and should be escaped.

Attachments (2)

24738.diff (2.2 KB) - added by kwight 21 months ago.
24738.1.diff (431 bytes) - added by obenland 21 months ago.

Download all attachments as: .zip

Change History (10)

@kwight21 months ago

comment:1 @nacin21 months ago

If I had my way, get_comment_ID() wouldn't have a filter. (get_the_ID() doesn't have one either.) That said, it returns an integer. So we can/should either cast to an integer inside get_comment_ID(), or just assume that plugin authors won't return something other than an integer.

@obenland21 months ago

comment:2 @obenland21 months ago

New patch casts get_comment_ID() filter value to an integer.

comment:3 @SergeyBiryukov21 months ago

  • Version changed from trunk to 1.5

comment:4 @obenland20 months ago

  • Milestone changed from Awaiting Review to 3.7

comment:5 @nacin19 months ago

This may actually be a breaking change along the lines of #22324.

comment:6 follow-up: @kwight19 months ago

Does that mean we should go back to the original patch?

comment:7 in reply to: ↑ 6 @nacin19 months ago

Replying to kwight:

Does that mean we should go back to the original patch?

I think it's actually probably a wontfix.

comment:8 @nacin18 months ago

  • Milestone 3.7 deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.