Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#53349 closed defect (bug) (fixed)

Added esc_attr in Edit Comment Form Field

Reported by: utsav72640's profile utsav72640 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.8 Priority: normal
Severity: normal Version:
Component: Comments Keywords: has-patch
Focuses: administration, coding-standards Cc:


Added Escaping Function Was Used in wp-admin\edit-form-comment.php

Attachments (1)

edit-form-comment.php.patch (588 bytes) - added by utsav72640 3 years ago.

Download all attachments as: .zip

Change History (3)

3 years ago


#1 @SergeyBiryukov
3 years ago

  • Component changed from General to Comments
  • Focuses administration added
  • Milestone changed from Awaiting Review to 5.8

Hi there, thanks for the patch!

It looks like esc_attr() here was previously removed in [11721].

Technically, it would be redundant, as the comment_author, comment_author_email, and comment_author_url fields are all escaped with esc_textarea() via format_to_edit() called from get_comment_to_edit(), before the edit-form-comment.php file is loaded.

That said, since comment_author and comment_author_url are also escaped with esc_attr() in the same form, I don't see any harm in doing that for comment_author_email too, for consistency and to avoid any future confusion.

#2 @SergeyBiryukov
3 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 51080:

Comments: Escape comment author's email in the Edit Comment form.

Technically, this is redundant, as the comment_author, comment_author_email, and comment_author_url fields are already escaped via get_comment_to_edit() before the form is displayed.

However, this brings some consistency with the comment_author and comment_author_url fields being escaped in the same form.

Follow-up to [11721].

Props utsav72640.
Fixes #53349.

Note: See TracTickets for help on using tickets.