WordPress.org
Get WordPress

Make WordPress Core

Opened 8 years ago

Closed 6 years ago

#41921 closed enhancement (fixed)

add esc_html before the admin title display

Reported by: lalitpendhare's profile lalitpendhare Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.5 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch commit
Focuses: Cc:

Description

I have found esc_html is missing before the admin title on line number 67.

file location: "wp-admin/admin-header.php".

Attachments (2)

admin-header-41921.php (358 bytes) - added by lalitpendhare 8 years ago.
add esc_html before the admin title display on line 67
41921.patch (358 bytes) - added by adnan.limdi 8 years ago.
Hello Lalitpendhare, i think, you have created wrong patch file. so here i have update new patch file.

Download all attachments as: .zip

Change History (11)

@lalitpendhare
8 years ago

add esc_html before the admin title display on line 67

#1 @lalitpendhare
8 years ago

  • Keywords has-patch added

@adnan.limdi
8 years ago

Hello Lalitpendhare, i think, you have created wrong patch file. so here i have update new patch file.

#2 @SergeyBiryukov
8 years ago

  • Component changed from Import to Administration
  • Focuses administration removed

Hi @lalitpendhare, thanks for the ticket!

The title already runs through esc_html() a few lines above, what's the reason for escaping it twice?

#3 follow-up: @swissspidy
8 years ago

@adnan.limdi The diff was correct, just the file extension was off.

#4 in reply to: ↑ 3 @adnan.limdi
8 years ago

Replying to swissspidy:

@adnan.limdi The diff was correct, just the file extension was off.

yes @swissspidy you are right that's why i update it.

@SergeyBiryukov here apply_filters added that's why we have add esc_html(); again for improvement.

Last edited 8 years ago by adnan.limdi (previous) (diff)

#5 @subrataemfluence
8 years ago

Hello @lalitpendhare, I agree with @SergeyBiryukov specially in the context of present coding pattern.

$admin_title = apply_filters( 'admin_title', $admin_title, $title );

Although the above line has apply_filters applied, the extra content parameter $admin_title is already being outputted using an esc_html above and not changing in between before this line is executed. So adding another esc_html will be kind of useless.

However, as @adnan.limdi mentioned, because there is an apply_filters and in future releases there could be a chance of $admin_title value gets change before the line in question, it is always safe to have esc_html applied at the point where the actual output is generated.

I personally feel what @lalitpendhare has recommended is good to integrate as an enhancement.

This ticket was mentioned in Slack in #core by lalitpendhare. View the logs.
8 years ago

#7 @andraganescu
7 years ago

  • Keywords commit added

@SergeyBiryukov the reason is that the title passes through a filter and it might undo the effect of the esc_html above. Whenever there is such a possibility all throughout the codebase esc_html is used right at output time, like in this patch., therefore I think this is a good patch.

#8 @SergeyBiryukov
6 years ago

  • Milestone changed from Awaiting Review to 5.5
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#9 @SergeyBiryukov
6 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 47474:

Administration: Escape admin title on output after the admin_title filter runs, not before.

Props lalitpendhare, adnan.limdi, subrataemfluence, andraganescu.
Fixes #41921.

Note: See TracTickets for help on using tickets.