Opened 7 years ago
Closed 6 years ago
#43717 closed enhancement (fixed)
Ping back URL display with out escaping.
Reported by: | sharaz | Owned by: | pento |
---|---|---|---|
Milestone: | 5.1 | Priority: | normal |
Severity: | normal | Version: | 4.9.5 |
Component: | Bundled Theme | Keywords: | has-patch |
Focuses: | template | Cc: |
Description
functions.php
Line no 401 : printf( '<link rel="pingback" href="%s">' . "\n", get_bloginfo( 'pingback_url' ) );
According to theme review hand book Ref data should be escaped before output.
So the right way.
printf( '<link rel="pingback" href="%s">' . "\n", esc_url( get_bloginfo( 'pingback_url' ) ) );
Attachments (1)
Change History (10)
#2
@
7 years ago
- Keywords has-patch added
Welcome to Trac! Thanks for your report. While not a security issue (well, not less secure than the_title()
), using esc_url
should be done, of course.
43717.diff fixes all 7 themes in this regard.
#3
@
7 years ago
- Component changed from Security to Themes
- Type changed from defect (bug) to enhancement
This ticket was mentioned in Slack in #core by sharaz. View the logs.
7 years ago
Note: See
TracTickets for help on using
tickets.
I found this issue in twenty seventeen functions.php