WordPress.org

Make WordPress Core

Opened 3 months ago

Last modified 3 months ago

#51855 new defect (bug)

wp_dropdown_categories allows multiple classes

Reported by: tnash Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 2.8
Component: General Keywords:
Focuses: Cc:

Description

The function wp_dropdown_categories() provides the argument for class in line with many other functions however it uses:

$class    = esc_attr( $parsed_args['class'] );

Rather then then:

sanitize_html_class( $class )

This means its not using the much more restrictive santization and is allowing multiple classes.

Attachments (1)

51855.diff (589 bytes) - added by tnash 3 months ago.
Patch for wp_dropdown_categories to use sanitize_html_class

Download all attachments as: .zip

Change History (5)

@tnash
3 months ago

Patch for wp_dropdown_categories to use sanitize_html_class

#1 @SergeyBiryukov
3 months ago

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

Just noting this also appears to apply to:

  • wp_list_categories()
  • wp_dropdown_page()
  • wp_dropdown_users()

On the other hand, wp_list_bookmarks() does use sanitize_html_class(), see [32906] / #51666.

Not allowing multiple classes in the other functions would be a back-compat break, they should at least allow for passing in an array of classes, same as wp_list_bookmarks().

Version 0, edited 3 months ago by SergeyBiryukov (next)

#2 @SergeyBiryukov
3 months ago

In 49688:

Docs: Clarify that the $class argument of wp_list_bookmarks() can accept an array.

Follow-up to [32906].

See #51855, #51800.

#3 @hellofromTonya
3 months ago

  • Version set to 2.8

$class = esc_attr introduced in 2.8 via changeset 11890.

#4 @tnash
3 months ago

Personally I would love to see sanitize_html_class() support multiple classes safely.

However the ticket was raised exactly because of the inconsistencies across functions, developers will expect class arguments to behave and be escaped the same across functions and indeed a function exists for this very usecase so it would make sense to use the stricter purpose built function. Alternatively to switch for all functions to use the more permissive esc_attr when inserting class.

Note: See TracTickets for help on using tickets.