Opened 5 years ago
Last modified 2 years ago
#44637 new defect (bug)
Escape strings in wp-admin/themes.php
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | has-patch reporter-feedback |
| Focuses: | coding-standards | Cc: |
Description
A lot of translatable strings are not escaped.
Attachments (1)
Change History (4)
#3
@
5 years ago
Hi @SergeyBiryukov,
Thank you for prompt reply. I understand the "trusted" aspect and I apologise for re-opening the discussion.
However, being a developer who often looks into core in order to learn best practice, I find it rather frustrating that examples of good escaping are missing. And this is not something trivial, this is important security matter about which developers have nowhere to learn from. DevHub does explain things in theory and have a few examples but that doesn't cover every situation (like few strings in this file I didn't know how to escape and couldn't find examples anywhere).
If the best practice for WordPress code is not in WordPress core then where should it be?
Hi @milana_cap, thanks for the ticket!
Could you clarify why these strings should be escaped? Core translations are considered safe because we have a review process for them, see #42639 and the discussion in #30724.
Related: #32233