Opened 6 years ago
Closed 6 years ago
#46990 closed defect (bug) (fixed)
Properly escape output of the ms_user_list_site_class filter
Reported by: | david.binda | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.2 | Priority: | normal |
Severity: | normal | Version: | 5.2 |
Component: | Networks and Sites | Keywords: | has-patch |
Focuses: | multisite | Cc: |
Description
In r44977 a new filter was added, based on the proposal in #41146. However, the output of the classes added via new filter is incorrect.
sanitize_html_class
is being used for escaping an output, which has 2 flaws:
1) an escaping function should be used (eg.: esc_attr
)
2) sanitize_html_class
does not allow spaces on it's output ( only [A-Za-z0-9_-]
), so the implode( ' ' )
is being reverted and all new classes added via filter are concatenated w/o space in between them.
To mitigate the issue, esc_attr
should be used in https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/class-wp-ms-users-list-table.php?rev=44977#L355 instead of the sanitize_html_class
.
Attachments (1)
Change History (3)
Note: See
TracTickets for help on using
tickets.
In 45252: