Opened 7 years ago
Closed 7 years ago
#40216 closed defect (bug) (fixed)
Twenty Seventeen: Some parts do not escape html attributes
Reported by: | bor0 | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 4.7.4 | Priority: | normal |
Severity: | normal | Version: | 4.7 |
Component: | Bundled Theme | Keywords: | has-patch fixed-major |
Focuses: | Cc: |
Description
There are appearances like:
https://core.trac.wordpress.org/browser/trunk/src/wp-content/themes/twentyseventeen/footer.php#L25
https://core.trac.wordpress.org/browser/trunk/src/wp-content/themes/twentyseventeen/template-parts/navigation/navigation-top.php#L12
_e() in these cases should actually be esc_attr_e() to ensure the translated string gets escaped for an HTML attribute context, because the translated string from another language could potentially have a character that would need to be escaped.
Attachments (1)
Change History (7)
#2
@
7 years ago
- Component changed from Security to Bundled Theme
- Milestone changed from Awaiting Review to 4.8
- Summary changed from Some parts of Twentyseventeen do not esc html attr to Twenty Seventeen: Some parts do not escape html attributes
#4
@
7 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 40311:
Note: See
TracTickets for help on using
tickets.
Here are future-proof links to the lines in question:
( linking to
trunk
is problematic, because those line numbers will invariably change in the future, and anyone who wants to look at the links will have to spend extra time to find the original ones )