Opened 4 years ago
Last modified 4 years ago
#51855 new defect (bug)
wp_dropdown_categories allows multiple classes
Reported by: | tnash | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 2.8 |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
The function wp_dropdown_categories() provides the argument for class in line with many other functions however it uses:
$class = esc_attr( $parsed_args['class'] );
Rather then then:
sanitize_html_class( $class )
This means its not using the much more restrictive santization and is allowing multiple classes.
Attachments (1)
Change History (5)
#1
@
4 years ago
Hi there, welcome back to WordPress Trac! Thanks for the ticket.
Just noting this appears to apply to:
wp_dropdown_categories()
wp_list_categories()
wp_dropdown_page()
wp_dropdown_users()
On the other hand, wp_list_bookmarks()
does use sanitize_html_class()
, see [32906] / #51666.
Not allowing multiple classes in the other functions would be a back-compat break, they should at least allow for passing in an array of classes, same as wp_list_bookmarks()
.
#4
@
4 years ago
Personally I would love to see sanitize_html_class() support multiple classes safely.
However the ticket was raised exactly because of the inconsistencies across functions, developers will expect class arguments to behave and be escaped the same across functions and indeed a function exists for this very usecase so it would make sense to use the stricter purpose built function. Alternatively to switch for all functions to use the more permissive esc_attr when inserting class.
Patch for wp_dropdown_categories to use sanitize_html_class