WordPress.org
Get WordPress

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#44880 closed enhancement (fixed)

Missing sanitization

Reported by: abhijitrakas's profile abhijitrakas Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.1 Priority: normal
Severity: normal Version:
Component: Taxonomy Keywords: has-patch needs-testing
Focuses: coding-standards Cc:

Description

In Walker category class inside start_el function, image URL and li classes need to sanitize before use.

Attachments (2)

44880.diff (1.0 KB) - added by abhijitrakas 5 years ago.
44880.patch (1.1 KB) - added by mukesh27 5 years ago.
Updated patch for LI class

Download all attachments as: .zip

Change History (13)

@abhijitrakas
5 years ago

#1 @mukesh27
5 years ago

  • Component changed from General to Menus
  • Focuses ui removed
  • Keywords needs-testing added
  • Type changed from defect (bug) to enhancement

@mukesh27
5 years ago

Updated patch for LI class

#2 @mukesh27
5 years ago

  • Component changed from Menus to Taxonomy
  • Focuses coding-standards added
  • Keywords dev-feedback added

#3 @SergeyBiryukov
5 years ago

  • Milestone changed from Awaiting Review to 4.9.9
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#4 @pento
5 years ago

  • Milestone changed from 4.9.9 to 5.0.1

#5 @pento
4 years ago

  • Milestone changed from 5.0.1 to 5.0.2

#6 @pento
4 years ago

  • Milestone changed from 5.0.2 to 5.0.3

This ticket was mentioned in Slack in #core by desrosj. View the logs.
4 years ago

#8 @ocean90
4 years ago

  • Keywords dev-feedback removed
  • Milestone changed from 5.0.3 to 5.1

#9 @SergeyBiryukov
4 years ago

In 44413:

Taxonomy: Escape feed_image argument in Walker_Category::start_el().

See [11838] for the instance in wp_list_authors().

Props abhijitrakas.
See #44880.

#10 @SergeyBiryukov
4 years ago

In 44414:

Taxonomy: Escape CSS classes in Walker_Category::start_el() after the category_css_class filter runs.

Don't add an empty class attribute if there are no classes, for consistency with Walker_Nav_Menu::start_el().

Props abhijitrakas, mukesh27.
See #44880.

#11 @SergeyBiryukov
4 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 44415:

Pages, Post Types: Escape CSS classes in Walker_Page::start_el() after the page_css_class filter runs.

Don't add an empty class attribute if there are no classes, for consistency with Walker_Nav_Menu::start_el().

Props abhijitrakas, mukesh27.
Fixes #44880.

Note: See TracTickets for help on using tickets.