WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#30952 closed defect (bug) (fixed)

customize.php links in the admin menu are not ecaped

Reported by: iseulde Owned by: ocean90
Milestone: 4.2 Priority: normal
Severity: normal Version: 4.1
Component: Customize Keywords: has-patch
Focuses: administration Cc:

Description

Additionally add_query_arg is used incorrectly.

Introduced in [30459].

Attachments (3)

30952.patch (2.6 KB) - added by iseulde 5 years ago.
30952.demo.diff (3.5 KB) - added by westonruter 5 years ago.
Example: escape admin menu item URLs when output
30952.themes.diff (1.2 KB) - added by MikeHansenMe 5 years ago.
themes.php also has one

Download all attachments as: .zip

Change History (9)

@iseulde
5 years ago

#1 @iseulde
5 years ago

  • Keywords has-patch added

#2 @ocean90
5 years ago

  • Keywords needs-refresh added

The urlencode() must stay, otherwise it breaks URLs with multiple query arguments.

@westonruter
5 years ago

Example: escape admin menu item URLs when output

#3 @westonruter
5 years ago

Isn't there a more fundamental problem here for escaping? The _wp_menu_output() is not always calling esc_url() when echoing out the menu items. So it seems that something like 30952.demo.diff would be a more robust improvement.

#4 @iseulde
5 years ago

@ocean90 Oops, sorry about the urlencode().

@westonruter That works too. :)

You still need to use an array for add_query_arg() though, or escape it manually.
esc_url( add_query_arg( 'a[a]', 'a', '/' ) ) === '/?aa=a'

@MikeHansenMe
5 years ago

themes.php also has one

#5 @MikeHansenMe
5 years ago

  • Keywords needs-refresh removed

#6 @ocean90
5 years ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 31427:

Escape Customizer links in the admin menu. Fix usage of add_query_arg().

props iseulde.
fixes #30952.

Note: See TracTickets for help on using tickets.