Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#32142 closed defect (bug) (fixed)

Escape $s global

Reported by: nacin's profile nacin Owned by: nacin's profile nacin
Milestone: 4.3 Priority: normal
Severity: normal Version:
Component: Query Keywords:
Focuses: template Cc:

Description

I've had this on my list for years of something we should do. So, let's try it and see what breaks.

Change History (3)

#1 @nacin
10 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 32298:

Escape the $s global.

fixes #32142.

#2 follow-up: @rmccue
10 years ago

Seems to me like this punishes themes doing it correctly? If I was previously doing title="echo esc_attr( $s )" (correctly doing late escaping), the text would now be double-escaped.

Also, pretty sure it breaks if you pass it back into WP_Query, which I can see done in one of the themes I have locally.

#3 in reply to: ↑ 2 @SergeyBiryukov
10 years ago

Replying to rmccue:

If I was previously doing title="echo esc_attr( $s )" (correctly doing late escaping), the text would now be double-escaped.

esc_attr() does not double-encode entities, see #25485.

Note: See TracTickets for help on using tickets.