Opened 10 years ago
Closed 10 years ago
#29259 closed defect (bug) (duplicate)
post_class filter can introduce non-escaped output
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.0 |
| Component: | Posts, Post Types | Keywords: | |
| Focuses: | template | Cc: |
Description
Currently post_class filter is executed after using esc_attr to escape existing classes, and thus newly added classes are not escaped properly.
Excerpt from get_post_class
$classes = array_map('esc_attr', $classes);
/**
* Filter the list of CSS classes for the current post.
*
* @since 2.7.0
*
* @param array $classes An array of post classes.
* @param string $class A comma-separated list of additional classes added to the post.
* @param int $post_id The post ID.
*/
$classes = apply_filters( 'post_class', $classes, $class, $post->ID );
return array_unique( $classes );
I think we should escape after applying the filter, not before, since a snippet like the following can exploit the code and break output:
add_filter( 'post_class', function( $classes ){
$classes[] = '" data-foo="bar'; // sneaking in some data attributes
// OR
$classes[] = '">some evil stuff here'; // nasty!
return $classes;
} );
Attachments (1)
Change History (2)
Note: See
TracTickets for help on using
tickets.
patch for post_class delayed filter