Opened 3 years ago
Closed 3 years ago
#53426 closed enhancement (fixed)
Escaping function missing.
Reported by: | chintan1896 | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | has-patch |
Focuses: | Cc: |
Description
Escaping function missing which is use admin url function.
Attachments (2)
Change History (7)
#1
@
3 years ago
- Keywords needs-refresh added
- Type changed from defect (bug) to enhancement
- Version 5.7 deleted
#2
@
3 years ago
- Component changed from General to Administration
- Keywords needs-refresh removed
- Milestone changed from Awaiting Review to 5.8
#3
@
3 years ago
- Keywords has-patch added
Hi there, thanks for the patch!
Just noting that the instance in wp-includes/class-wp-embed.php
does not need escaping.
The current code creates a link like this:
$.get("/build/wp-admin/admin-ajax.php?action=oembed-cache&post=123");
With the patch, the ampersand is converted to the &
entity:
$.get("/build/wp-admin/admin-ajax.php?action=oembed-cache&post=123");
This leads to the post
parameter being dropped from the link when the request is made in my testing:
http://develop.wordpress.test/build/wp-admin/admin-ajax.php?action=oembed-cache&
The rest of the patch looks good.
#4
@
3 years ago
On second thought, we could use something like this in wp-includes/class-wp-embed.php
:
$.get("<?php echo esc_url( admin_url( 'admin-ajax.php', 'relative' ) ) . '?action=oembed-cache&post=' . $post->ID; ?>");
It would be consistent with a similar line in wp-admin/includes/image-edit.php
(as seen in the patch).
Note: See
TracTickets for help on using
tickets.
Hi there!
Thank you for the ticket and patch.
In my global search, I found two more files that need escaping for the admin_url function.
https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp-embed.php#L93
https://github.com/WordPress/WordPress/blob/master/wp-admin/edit-tag-form.php#L303