Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#46990 closed defect (bug) (fixed)

Properly escape output of the ms_user_list_site_class filter

Reported by: davidbinda's profile david.binda Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.2 Priority: normal
Severity: normal Version: 5.2
Component: Networks and Sites Keywords: has-patch
Focuses: multisite Cc:


In r44977 a new filter was added, based on the proposal in #41146. However, the output of the classes added via new filter is incorrect.

sanitize_html_class is being used for escaping an output, which has 2 flaws:

1) an escaping function should be used (eg.: esc_attr)
2) sanitize_html_class does not allow spaces on it's output ( only [A-Za-z0-9_-] ), so the implode( ' ' ) is being reverted and all new classes added via filter are concatenated w/o space in between them.

To mitigate the issue, esc_attr should be used in instead of the sanitize_html_class.

Attachments (1)

46990.diff (781 bytes) - added by david.binda 4 years ago.

Download all attachments as: .zip

Change History (3)

4 years ago

#1 @SergeyBiryukov
4 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 5.2

#2 @SergeyBiryukov
4 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 45252:

Networks and Sites: Use correct escaping function for classes added via ms_user_list_site_class filter.

Props david.binda.
Fixes #46990. See #41146.

Note: See TracTickets for help on using tickets.