Make WordPress Core

Opened 4 years ago

Last modified 2 weeks ago

#40401 reopened defect (bug)

Value of data-colname in wp-list-table is not escaped

Reported by: rellect Owned by:
Milestone: 5.8 Priority: normal
Severity: normal Version: 4.3
Component: Administration Keywords: needs-refresh
Focuses: Cc:


It looks like at some point the esc_attr() was removed in favor of wp_strip_all_tags

// Comments column uses HTML in the display name with screen reader text.
// Instead of using esc_attr(), we strip tags to get closer to a user-friendly string.
$data = 'data-colname="' . wp_strip_all_tags( $column_display_name ) . '"';

But wp_strip_all_tags does not escape the value, so wp_strip_all_tags should've been added as addition to esc_attr, and not as a replacement.

Attachments (1)

40401.patch (1.2 KB) - added by rellect 4 years ago.

Download all attachments as: .zip

Change History (7)

4 years ago

#1 @rellect
4 years ago

  • Keywords has-patch added
  • Resolution set to invalid
  • Status changed from new to closed

#2 @rellect
4 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

#3 @rellect
4 years ago

Sorry, accidently clicked on the 'resolve as invalid' checkbox

#4 @SergeyBiryukov
4 years ago

  • Version changed from 4.7.3 to 4.3

Related: [33016]

#5 @rellect
3 years ago

Still an issue with current wordpress 4.9.8

#6 @Hareesh Pillai
2 weeks ago

  • Keywords needs-refresh added; has-patch removed
  • Milestone changed from Awaiting Review to 5.8

Patch needs a refresh against trunk.

Note: See TracTickets for help on using tickets.