Make WordPress Core

Opened 14 months ago

Last modified 14 months ago

#51855 new defect (bug)

wp_dropdown_categories allows multiple classes

Reported by: tnash Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 2.8
Component: General Keywords:
Focuses: Cc:


The function wp_dropdown_categories() provides the argument for class in line with many other functions however it uses:

$class    = esc_attr( $parsed_args['class'] );

Rather then then:

sanitize_html_class( $class )

This means its not using the much more restrictive santization and is allowing multiple classes.

Attachments (1)

51855.diff (589 bytes) - added by tnash 14 months ago.
Patch for wp_dropdown_categories to use sanitize_html_class

Download all attachments as: .zip

Change History (5)

14 months ago

Patch for wp_dropdown_categories to use sanitize_html_class

#1 @SergeyBiryukov
14 months ago

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

Just noting this appears to apply to:

  • wp_dropdown_categories()
  • wp_list_categories()
  • wp_dropdown_page()
  • wp_dropdown_users()

On the other hand, wp_list_bookmarks() does use sanitize_html_class(), see [32906] / #51666.

Not allowing multiple classes in the other functions would be a back-compat break, they should at least allow for passing in an array of classes, same as wp_list_bookmarks().

Last edited 14 months ago by SergeyBiryukov (previous) (diff)

#2 @SergeyBiryukov
14 months ago

In 49688:

Docs: Clarify that the $class argument of wp_list_bookmarks() can accept an array.

Follow-up to [32906].

See #51855, #51800.

#3 @hellofromTonya
14 months ago

  • Version set to 2.8

$class = esc_attr introduced in 2.8 via changeset 11890.

#4 @tnash
14 months ago

Personally I would love to see sanitize_html_class() support multiple classes safely.

However the ticket was raised exactly because of the inconsistencies across functions, developers will expect class arguments to behave and be escaped the same across functions and indeed a function exists for this very usecase so it would make sense to use the stricter purpose built function. Alternatively to switch for all functions to use the more permissive esc_attr when inserting class.

Note: See TracTickets for help on using tickets.