Make WordPress Core

Opened 4 years ago

Last modified 4 years ago

#51855 new defect (bug)

wp_dropdown_categories allows multiple classes

Reported by: tnash's profile tnash Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 2.8
Component: General Keywords:
Focuses: Cc:

Description

The function wp_dropdown_categories() provides the argument for class in line with many other functions however it uses:

$class    = esc_attr( $parsed_args['class'] );

Rather then then:

sanitize_html_class( $class )

This means its not using the much more restrictive santization and is allowing multiple classes.

Attachments (1)

51855.diff (589 bytes) - added by tnash 4 years ago.
Patch for wp_dropdown_categories to use sanitize_html_class

Download all attachments as: .zip

Change History (5)

@tnash
4 years ago

Patch for wp_dropdown_categories to use sanitize_html_class

#1 @SergeyBiryukov
4 years ago

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

Just noting this appears to apply to:

  • wp_dropdown_categories()
  • wp_list_categories()
  • wp_dropdown_page()
  • wp_dropdown_users()

On the other hand, wp_list_bookmarks() does use sanitize_html_class(), see [32906] / #51666.

Not allowing multiple classes in the other functions would be a back-compat break, they should at least allow for passing in an array of classes, same as wp_list_bookmarks().

Last edited 4 years ago by SergeyBiryukov (previous) (diff)

#2 @SergeyBiryukov
4 years ago

In 49688:

Docs: Clarify that the $class argument of wp_list_bookmarks() can accept an array.

Follow-up to [32906].

See #51855, #51800.

#3 @hellofromTonya
4 years ago

  • Version set to 2.8

$class = esc_attr introduced in 2.8 via changeset 11890.

#4 @tnash
4 years ago

Personally I would love to see sanitize_html_class() support multiple classes safely.

However the ticket was raised exactly because of the inconsistencies across functions, developers will expect class arguments to behave and be escaped the same across functions and indeed a function exists for this very usecase so it would make sense to use the stricter purpose built function. Alternatively to switch for all functions to use the more permissive esc_attr when inserting class.

Note: See TracTickets for help on using tickets.