Make WordPress Core

Opened 3 months ago

Last modified 2 months ago

#43717 new enhancement

Ping back URL display with out escaping.

Reported by: sharaz Owned by:
Milestone: 5.0 Priority: normal
Severity: normal Version: 4.9.5
Component: Themes Keywords: has-patch
Focuses: template Cc:


functions.php Line no 401 : printf( '<link rel="pingback" href="%s">' . "\n", get_bloginfo( 'pingback_url' ) ); According to theme review hand book Ref data should be escaped before output. So the right way. printf( '<link rel="pingback" href="%s">' . "\n", esc_url( get_bloginfo( 'pingback_url' ) ) );

Attachments (1)

43717.diff (5.6 KB) - added by soulseekah 3 months ago.
esc_url on bloginfo pingback URL

Download all attachments as: .zip

Change History (6)

#1 @sharaz
3 months ago

I found this issue in twenty seventeen functions.php

3 months ago

esc_url on bloginfo pingback URL

#2 @soulseekah
3 months ago

  • Keywords has-patch added

Welcome to Trac! Thanks for your report. While not a security issue (well, not less secure than the_title()), using esc_url should be done, of course.

43717.diff fixes all 7 themes in this regard.

#3 @sharaz
3 months ago

  • Component changed from Security to Themes
  • Type changed from defect (bug) to enhancement

This ticket was mentioned in Slack in #core by sharaz. View the logs.

3 months ago

#5 @SergeyBiryukov
2 months ago

  • Milestone changed from Awaiting Review to 5.0
Note: See TracTickets for help on using tickets.