Make WordPress Core

Opened 5 years ago

Last modified 2 years ago

#44637 new defect (bug)

Escape strings in wp-admin/themes.php

Reported by: milana_cap's profile milana_cap Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch reporter-feedback
Focuses: coding-standards Cc:

Description

A lot of translatable strings are not escaped.

Attachments (1)

44637.patch (24.3 KB) - added by milana_cap 5 years ago.

Download all attachments as: .zip

Change History (4)

@milana_cap
5 years ago

#1 @milana_cap
5 years ago

  • Keywords has-patch added

#2 @SergeyBiryukov
5 years ago

  • Keywords reporter-feedback added

Hi @milana_cap, thanks for the ticket!

Could you clarify why these strings should be escaped? Core translations are considered safe because we have a review process for them, see #42639 and the discussion in #30724.

Related: #32233

#3 @milana_cap
5 years ago

Hi @SergeyBiryukov,

Thank you for prompt reply. I understand the "trusted" aspect and I apologise for re-opening the discussion.

However, being a developer who often looks into core in order to learn best practice, I find it rather frustrating that examples of good escaping are missing. And this is not something trivial, this is important security matter about which developers have nowhere to learn from. DevHub does explain things in theory and have a few examples but that doesn't cover every situation (like few strings in this file I didn't know how to escape and couldn't find examples anywhere).

If the best practice for WordPress code is not in WordPress core then where should it be?

Note: See TracTickets for help on using tickets.