Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#46990 closed defect (bug) (fixed)

Properly escape output of the ms_user_list_site_class filter

Reported by: davidbinda's profile david.binda Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.2 Priority: normal
Severity: normal Version: 5.2
Component: Networks and Sites Keywords: has-patch
Focuses: multisite Cc:

Description

In r44977 a new filter was added, based on the proposal in #41146. However, the output of the classes added via new filter is incorrect.

sanitize_html_class is being used for escaping an output, which has 2 flaws:

1) an escaping function should be used (eg.: esc_attr)
2) sanitize_html_class does not allow spaces on it's output ( only [A-Za-z0-9_-] ), so the implode( ' ' ) is being reverted and all new classes added via filter are concatenated w/o space in between them.

To mitigate the issue, esc_attr should be used in https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/class-wp-ms-users-list-table.php?rev=44977#L355 instead of the sanitize_html_class.

Attachments (1)

46990.diff (781 bytes) - added by david.binda 6 years ago.

Download all attachments as: .zip

Change History (3)

@david.binda
6 years ago

#1 @SergeyBiryukov
6 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 5.2

#2 @SergeyBiryukov
6 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 45252:

Networks and Sites: Use correct escaping function for classes added via ms_user_list_site_class filter.

Props david.binda.
Fixes #46990. See #41146.

Note: See TracTickets for help on using tickets.