Opened 10 years ago
Closed 10 years ago
#30952 closed defect (bug) (fixed)
customize.php links in the admin menu are not ecaped
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 4.2 | Priority: | normal |
Severity: | normal | Version: | 4.1 |
Component: | Customize | Keywords: | has-patch |
Focuses: | administration | Cc: |
Description
Additionally add_query_arg
is used incorrectly.
Introduced in [30459].
Attachments (3)
Change History (9)
#3
@
10 years ago
Isn't there a more fundamental problem here for escaping? The _wp_menu_output()
is not always calling esc_url()
when echoing out the menu items. So it seems that something like 30952.demo.diff would be a more robust improvement.
Note: See
TracTickets for help on using
tickets.
The
urlencode()
must stay, otherwise it breaks URLs with multiple query arguments.