Opened 5 years ago
Closed 5 years ago
#53459 closed enhancement (fixed)
Escaping function missing.
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 5.8 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Administration | Keywords: | has-patch |
| Focuses: | Cc: |
Description
Escaping function missing which is use network_admin_url function.
Attachments (1)
Change History (4)
#2
in reply to:
↑ 1
@
5 years ago
- Keywords needs-refresh removed
- Milestone changed from Awaiting Review to 5.8
- Owner set to SergeyBiryukov
- Status changed from new to reviewing
Replying to mukesh27:
Can you please search
network_admin_urlglobally in the WordPress directory and add the remaining file change?
https://github.com/WordPress/WordPress/blob/master/wp-includes/admin-bar.php#L1058
https://github.com/WordPress/WordPress/blob/master/wp-includes/link-template.php#L3738
It looks like those instances do not need escaping:
- Toolbar (admin bar) links are already escaped on output, see WP_Admin_Bar::_render_item().
self_admin_url()is used to retrieve the raw value, pretty much likenetwork_admin_url()itself. The value should be escaped on output according to the context, and not in the function itself (see #13051 for a previous discussion).
So the patch seems good as is :)
Note: See
TracTickets for help on using
tickets.
Hi there!
Can you please search
network_admin_urlglobally in the WordPress directory and add the remaining file change?https://github.com/WordPress/WordPress/blob/master/wp-includes/admin-bar.php#L1058
https://github.com/WordPress/WordPress/blob/master/wp-includes/link-template.php#L3738