Opened 8 years ago
Closed 4 years ago
#40401 closed defect (bug) (fixed)
Value of data-colname in wp-list-table is not escaped
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.8 | Priority: | normal |
Severity: | normal | Version: | 4.3 |
Component: | Administration | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
It looks like at some point the esc_attr() was removed in favor of wp_strip_all_tags
wp-admin/includes/class-wp-list-table.php
<?php // Comments column uses HTML in the display name with screen reader text. // Instead of using esc_attr(), we strip tags to get closer to a user-friendly string. $data = 'data-colname="' . wp_strip_all_tags( $column_display_name ) . '"';
But wp_strip_all_tags does not escape the value, so wp_strip_all_tags should've been added as addition to esc_attr, and not as a replacement.
Attachments (2)
Change History (14)
#1
@
8 years ago
- Keywords has-patch added
- Resolution set to invalid
- Status changed from new to closed
#6
@
4 years ago
- Keywords needs-refresh added; has-patch removed
- Milestone changed from Awaiting Review to 5.8
Patch needs a refresh against trunk.
#7
@
4 years ago
- Keywords has-patch commit added; needs-refresh removed
Patch refreshed. I think it's good to go.
#8
follow-up:
↓ 10
@
4 years ago
Thanks for the refresh, @audrasjb.
I notice a few other instances of wp_strip_all_tags()
used without escaping. In the class-wp-screen file, for instance.
Should we handle those cases as well?
#10
in reply to:
↑ 8
@
4 years ago
Replying to Hareesh Pillai:
Should we handle those cases as well?
Let's commit that one for now, we can still open another ticket to address the other potential references :)
Sorry, accidently clicked on the 'resolve as invalid' checkbox