WordPress.org

Make WordPress Core

Opened 8 months ago

Last modified 8 months ago

#40401 reopened defect (bug)

Value of data-colname in wp-list-table is not escaped

Reported by: rellect Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.3
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

It looks like at some point the esc_attr() was removed in favor of wp_strip_all_tags
wp-admin/includes/class-wp-list-table.php

<?php
// Comments column uses HTML in the display name with screen reader text.
// Instead of using esc_attr(), we strip tags to get closer to a user-friendly string.
$data = 'data-colname="' . wp_strip_all_tags( $column_display_name ) . '"';

But wp_strip_all_tags does not escape the value, so wp_strip_all_tags should've been added as addition to esc_attr, and not as a replacement.

Attachments (1)

40401.patch (1.2 KB) - added by rellect 8 months ago.

Download all attachments as: .zip

Change History (5)

@rellect
8 months ago

#1 @rellect
8 months ago

  • Keywords has-patch added
  • Resolution set to invalid
  • Status changed from new to closed

#2 @rellect
8 months ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

#3 @rellect
8 months ago

Sorry, accidently clicked on the 'resolve as invalid' checkbox

#4 @SergeyBiryukov
8 months ago

  • Version changed from 4.7.3 to 4.3

Related: [33016]

Note: See TracTickets for help on using tickets.