Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#53899 new enhancement

Escaping strings and screenshot URL on Themes screen

Reported by: vishitshah's profile vishitshah Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Themes Keywords: has-patch
Focuses: Cc:

Description

Attachments (1)

53899.diff (650 bytes) - added by vishitshah 3 years ago.

Download all attachments as: .zip

Change History (5)

@vishitshah
3 years ago

#1 @audrasjb
3 years ago

  • Version trunk deleted

Thanks for the ticket and patch,

Just noting that the content of $active_class is generated by the following code:

	$active_class = '';
	if ( $theme['active'] ) {
		$active_class = ' active';
	}

Therefore, there is no way to anyone one to inject anything in this variable, so the current code seems 100% safe :)

#2 @audrasjb
3 years ago

Concerning the screenshot URL, if we want to escape late the URL, we need to do it in the template model too:

	<# if ( data.screenshot[0] ) { #>
		<div class="theme-screenshot">
			<img src="{{ data.screenshot[0] }}" alt="" />
		</div>
	<# } else { #>
		<div class="theme-screenshot blank"></div>
	<# } #>
Version 0, edited 3 years ago by audrasjb (next)

#3 @SergeyBiryukov
3 years ago

  • Component changed from General to Themes

#4 @SergeyBiryukov
3 years ago

  • Summary changed from Escaping strings and url to Escaping strings and screenshot URL on Themes screen
Note: See TracTickets for help on using tickets.