Make WordPress Core

Opened 6 years ago

Closed 4 weeks ago

#44637 closed defect (bug) (wontfix)

Escape strings in wp-admin/themes.php

Reported by: milana_cap's profile milana_cap Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch reporter-feedback
Focuses: coding-standards Cc:

Description

A lot of translatable strings are not escaped.

Attachments (1)

44637.patch (24.3 KB) - added by milana_cap 6 years ago.

Download all attachments as: .zip

Change History (5)

@milana_cap
6 years ago

#1 @milana_cap
6 years ago

  • Keywords has-patch added

#2 @SergeyBiryukov
6 years ago

  • Keywords reporter-feedback added

Hi @milana_cap, thanks for the ticket!

Could you clarify why these strings should be escaped? Core translations are considered safe because we have a review process for them, see #42639 and the discussion in #30724.

Related: #32233

#3 @milana_cap
6 years ago

Hi @SergeyBiryukov,

Thank you for prompt reply. I understand the "trusted" aspect and I apologise for re-opening the discussion.

However, being a developer who often looks into core in order to learn best practice, I find it rather frustrating that examples of good escaping are missing. And this is not something trivial, this is important security matter about which developers have nowhere to learn from. DevHub does explain things in theory and have a few examples but that doesn't cover every situation (like few strings in this file I didn't know how to escape and couldn't find examples anywhere).

If the best practice for WordPress code is not in WordPress core then where should it be?

#4 @johnbillion
4 weeks ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I'll close this off because the current approach is that translated strings are considered trusted. If that changes in the future then it'll need a concerted effort to deal with all strings in the codebase.

Note: See TracTickets for help on using tickets.