WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#32233 new defect (bug)

Improve escaping in /wp-admin/includes/template.php

Reported by: McGuive7 Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.3
Component: Administration Keywords: has-patch needs-refresh
Focuses: administration Cc:

Description

It was brought to my attention that various output in /wp-admin/includes/template.php is missing proper escaping. This includes titles for settings sections and fields, inline Thickbox JS, and various translatable strings (the translations for which might accidentally or intentionally include problematic content).

This patch adds various escaping functions where needed.

Attachments (1)

32233.patch (6.6 KB) - added by McGuive7 3 years ago.
Patch to fix missing escaping functions from /wp-admin/includes/template.php

Download all attachments as: .zip

Change History (7)

@McGuive7
3 years ago

Patch to fix missing escaping functions from /wp-admin/includes/template.php

#1 @McGuive7
3 years ago

  • Keywords has-patch needs-testing added

#2 @SergeyBiryukov
3 years ago

esc_html_e() should only be used for translatable strings, not for PHP variables.

Translations should be considered safe, we generally only escape them in attributes or in <option> tags.

#3 follow-up: @McGuive7
3 years ago

Aha, I see that I was incorrectly using esc_html_e() for variables, when it is indeed a gettext function. I can fix that for sure.

On another point, I'm confused. You say that esc_html_e() should only be used for translatable strings, and then you go on to say translations should be considered safe - which to me means that they don't need escaping. If they are safe, and never need escaping, then why does a function like esc_html__() or esc_html_e() exist? Can you clarify on this one?

I've actually had quite a bit of general confusion on what to escape and what not to escape. Up until recently, I had assumed that there was no need to escape translations, as the translator should ensure that they are safe, right? But then I recently received a PR on one of my projects stating the following as a reason for escaping translations:

In this case there might be code injections in translation files. There are some plugins that allow you to translate in-plugin text directly from WP admin and so on. You can't rely on what might happen and what new ways of translation or code injections might come up.

Additionally, when I dig into WP core, there are plenty of examples of escaping translatable strings using esc_html_e() and esc_attr_e(). That said, I've also come a cross many instances in which translatable strings aren't escaped - here are a few examples:

/wp-admin/custom-header.php (extra odd because it includes markup)

echo __( '<strong>Random:</strong> Show a different image on each page.' );

/wp-admin/network/users.php

echo __( 'Attribute all content to:' )

/wp-admin/includes/class-wp-posts-list-table.php`

echo __( '&ndash;OR&ndash;' );

Additionally, this thread on the _s repo seems to indicate that translatable strings are not always safe, as plugins can allow users to include potentially malicious translations: https://github.com/Automattic/_s/issues/231

Anyhow, thanks for the feedback - any further clarification would be awesome. Thanks!

#4 in reply to: ↑ 3 ; follow-up: @ocean90
3 years ago

  • Keywords needs-refresh added; needs-testing removed

Replying to McGuive7:

On another point, I'm confused. You say that esc_html_e() should only be used for translatable strings, and then you go on to say translations should be considered safe

That was just for the wrong use of esc_html_e() for esc_attr_e( $bytes ) in your patch.

Core translations are considered as safe because we have a review process for them. See also the comments on #30724.

Side note: All occurrences of echo __() should be replaced with _e().

#5 in reply to: ↑ 4 @marsjaninzmarsa
3 years ago

Replying to ocean90:

Side note: All occurrences of echo __() should be replaced with _e().

Fixed in #32239.

#6 @wonderboymusic
3 years ago

  • Milestone changed from Awaiting Review to Future Release
Note: See TracTickets for help on using tickets.