Opened 5 years ago
Closed 5 years ago
#53426 closed enhancement (fixed)
Escaping function missing.
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 5.8 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Administration | Keywords: | has-patch |
| Focuses: | Cc: |
Description
Escaping function missing which is use admin url function.
Attachments (2)
Change History (7)
#1
@
5 years ago
- Keywords needs-refresh added
- Type changed from defect (bug) to enhancement
- Version 5.7 deleted
#2
@
5 years ago
- Component changed from General to Administration
- Keywords needs-refresh removed
- Milestone changed from Awaiting Review to 5.8
#3
@
5 years ago
- Keywords has-patch added
Hi there, thanks for the patch!
Just noting that the instance in wp-includes/class-wp-embed.php does not need escaping.
The current code creates a link like this:
$.get("/build/wp-admin/admin-ajax.php?action=oembed-cache&post=123");
With the patch, the ampersand is converted to the & entity:
$.get("/build/wp-admin/admin-ajax.php?action=oembed-cache&post=123");
This leads to the post parameter being dropped from the link when the request is made in my testing:
http://develop.wordpress.test/build/wp-admin/admin-ajax.php?action=oembed-cache&
The rest of the patch looks good.
#4
@
5 years ago
On second thought, we could use something like this in wp-includes/class-wp-embed.php:
$.get("<?php echo esc_url( admin_url( 'admin-ajax.php', 'relative' ) ) . '?action=oembed-cache&post=' . $post->ID; ?>");
It would be consistent with a similar line in wp-admin/includes/image-edit.php (as seen in the patch).
Note: See
TracTickets for help on using
tickets.
Hi there!
Thank you for the ticket and patch.
In my global search, I found two more files that need escaping for the admin_url function.
https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp-embed.php#L93
https://github.com/WordPress/WordPress/blob/master/wp-admin/edit-tag-form.php#L303