WordPress.org

Make WordPress Core

Opened 3 months ago

Closed 3 months ago

#53426 closed enhancement (fixed)

Escaping function missing.

Reported by: chintan1896 Owned by: SergeyBiryukov
Milestone: 5.8 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

Escaping function missing which is use admin url function.

Attachments (2)

53426.diff (10.3 KB) - added by chintan1896 3 months ago.
53426-1.2.diff (11.9 KB) - added by chintan1896 3 months ago.
Refresh patch added

Download all attachments as: .zip

Change History (7)

@chintan1896
3 months ago

#1 @mukesh27
3 months ago

  • Keywords needs-refresh added
  • Type changed from defect (bug) to enhancement
  • Version 5.7 deleted

Hi there!

Thank you for the ticket and patch.

In my global search, I found two more files that need escaping for the admin_url function.

https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp-embed.php#L93
https://github.com/WordPress/WordPress/blob/master/wp-admin/edit-tag-form.php#L303

@chintan1896
3 months ago

Refresh patch added

#2 @SergeyBiryukov
3 months ago

  • Component changed from General to Administration
  • Keywords needs-refresh removed
  • Milestone changed from Awaiting Review to 5.8

#3 @SergeyBiryukov
3 months ago

  • Keywords has-patch added

Hi there, thanks for the patch!

Just noting that the instance in wp-includes/class-wp-embed.php does not need escaping.

The current code creates a link like this:

$.get("/build/wp-admin/admin-ajax.php?action=oembed-cache&post=123");

With the patch, the ampersand is converted to the & entity:

$.get("/build/wp-admin/admin-ajax.php?action=oembed-cache&post=123");

This leads to the post parameter being dropped from the link when the request is made in my testing:

http://develop.wordpress.test/build/wp-admin/admin-ajax.php?action=oembed-cache&

The rest of the patch looks good.

#4 @SergeyBiryukov
3 months ago

On second thought, we could use something like this in wp-includes/class-wp-embed.php:

$.get("<?php echo esc_url( admin_url( 'admin-ajax.php', 'relative' ) ) . '?action=oembed-cache&post=' . $post->ID; ?>");

It would be consistent with a similar line in wp-admin/includes/image-edit.php (as seen in the patch).

#5 @SergeyBiryukov
3 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 51177:

Administration: Consistently escape admin_url() links.

Props chintan1896, mukesh27.
Fixes #53426.

Note: See TracTickets for help on using tickets.