Opened 3 years ago
Closed 3 years ago
#53459 closed enhancement (fixed)
Escaping function missing.
Reported by: | chintan1896 | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | has-patch |
Focuses: | Cc: |
Description
Escaping function missing which is use network_admin_url function.
Attachments (1)
Change History (4)
#2
in reply to:
↑ 1
@
3 years ago
- Keywords needs-refresh removed
- Milestone changed from Awaiting Review to 5.8
- Owner set to SergeyBiryukov
- Status changed from new to reviewing
Replying to mukesh27:
Can you please search
network_admin_url
globally in the WordPress directory and add the remaining file change?
https://github.com/WordPress/WordPress/blob/master/wp-includes/admin-bar.php#L1058
https://github.com/WordPress/WordPress/blob/master/wp-includes/link-template.php#L3738
It looks like those instances do not need escaping:
- Toolbar (admin bar) links are already escaped on output, see WP_Admin_Bar::_render_item().
self_admin_url()
is used to retrieve the raw value, pretty much likenetwork_admin_url()
itself. The value should be escaped on output according to the context, and not in the function itself (see #13051 for a previous discussion).
So the patch seems good as is :)
Note: See
TracTickets for help on using
tickets.
Hi there!
Can you please search
network_admin_url
globally in the WordPress directory and add the remaining file change?https://github.com/WordPress/WordPress/blob/master/wp-includes/admin-bar.php#L1058
https://github.com/WordPress/WordPress/blob/master/wp-includes/link-template.php#L3738