Context Navigation

← Previous Ticket
Next Ticket →

#53899 new enhancement

Escaping strings and screenshot URL on Themes screen

Reported by:	vishitshah	Owned by:
Milestone:	Awaiting Review	Priority:	normal
Severity:	normal	Version:
Component:	Themes	Keywords:	has-patch
Focuses:		Cc:

Description

Attachments (1)

53899.diff (650 bytes) - added by vishitshah 4 years ago.

Download all attachments as: .zip

Change History (5)

@vishitshah
4 years ago

Attachment 53899.diff added

#1 @audrasjb
4 years ago

Version trunk deleted

Thanks for the ticket and patch,

Just noting that the content of $active_class is generated by the following code:

	$active_class = '';
	if ( $theme['active'] ) {
		$active_class = ' active';
	}

Therefore, there is no way to anyone one to inject anything in this variable, so the current code seems 100% safe :)

#2 @audrasjb
4 years ago

Concerning the screenshot URL, if we want to escape late the URL, we'll probably want to do it in the template model too:

	<# if ( data.screenshot[0] ) { #>
		<div class="theme-screenshot">
			<img src="{{ data.screenshot[0] }}" alt="" />
		</div>
	<# } else { #>
		<div class="theme-screenshot blank"></div>
	<# } #>

Last edited 4 years ago by audrasjb (previous) (diff)

#3 @SergeyBiryukov
4 years ago

Component changed from General to Themes

#4 @SergeyBiryukov
4 years ago

Summary changed from Escaping strings and url to Escaping strings and screenshot URL on Themes screen

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core