Opened 11 years ago
Last modified 5 years ago
#24907 reopened defect (bug)
Escape admin_url() when used for ajax_url in admin header
Reported by: | jeremyfelt | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 2.7 |
Component: | Security | Keywords: | has-patch needs-testing |
Focuses: | Cc: |
Description
As admin_url()
is filtered right before returning, it should be escaped when output for use as the ajax_url in the admin.
Attachments (3)
Change History (10)
#2
@
11 years ago
esc_url() isn't right, as it encodes ampersands for display. At most you'd want esc_url_raw() — but really, we're just looking to avoid issues with escaping data for a JS string.
#4
@
11 years ago
esc_js()
would work but is intended for escaping of inline JS. The _wp_specialchars() used there could break it. Don't think we have a suitable esc_*
function when we echo arbitrary PHP strings inside a <script> tag.
Note: See
TracTickets for help on using
tickets.
I think we should be json encoding PHP string variables when outputting to javascript. This eliminates the need for escaping and surrounding with quotes.
Results of json_encode patch on output in header: