Make WordPress Core

Opened 7 years ago

Closed 6 years ago

#43717 closed enhancement (fixed)

Ping back URL display with out escaping.

Reported by: sharaz's profile sharaz Owned by: pento's profile pento
Milestone: 5.1 Priority: normal
Severity: normal Version: 4.9.5
Component: Bundled Theme Keywords: has-patch
Focuses: template Cc:

Description

functions.php
Line no 401 : printf( '<link rel="pingback" href="%s">' . "\n", get_bloginfo( 'pingback_url' ) );
According to theme review hand book Ref data should be escaped before output.
So the right way.
printf( '<link rel="pingback" href="%s">' . "\n", esc_url( get_bloginfo( 'pingback_url' ) ) );

Attachments (1)

43717.diff (5.6 KB) - added by soulseekah 7 years ago.
esc_url on bloginfo pingback URL

Download all attachments as: .zip

Change History (10)

#1 @sharaz
7 years ago

I found this issue in twenty seventeen functions.php

@soulseekah
7 years ago

esc_url on bloginfo pingback URL

#2 @soulseekah
7 years ago

  • Keywords has-patch added

Welcome to Trac! Thanks for your report. While not a security issue (well, not less secure than the_title()), using esc_url should be done, of course.

43717.diff fixes all 7 themes in this regard.

#3 @sharaz
7 years ago

  • Component changed from Security to Themes
  • Type changed from defect (bug) to enhancement

This ticket was mentioned in Slack in #core by sharaz. View the logs.


7 years ago

#5 @SergeyBiryukov
7 years ago

  • Milestone changed from Awaiting Review to 5.0

#6 @pento
6 years ago

  • Milestone changed from 5.0 to 5.1

#7 @pento
6 years ago

  • Owner set to pento
  • Status changed from new to assigned

#8 @pento
6 years ago

  • Component changed from Themes to Bundled Theme

#9 @pento
6 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 44500:

Bundled Themes: Run the pingback_url through esc_url().

Twenties Ten through Seventeen have been updated to properly escape the pingback URL. Twenty Nineteen is already escaping the URL.

Props soulseekah, sharaz.
Fixes #43717.

Note: See TracTickets for help on using tickets.