#53943 closed enhancement (maybelater)
Consider removing user's info in body class for page author
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Themes | Keywords: | |
| Focuses: | Cc: |
Description
By default, the body_class filter includes user login info on page author. It gives something like that:
<body class="archive author author-sarah author-123456">
While I certainly don't believe in security through obscurity, I think it should not be the default behavior. Even if you want to customize the template for a specific author, you'd better use a specific file in the theme.
Change History (4)
#1
@
4 years ago
- Component changed from General to Users
- Keywords 2nd-opinion added
- Version 5.8 deleted
#2
@
4 years ago
hi @audrasjb, I can understand your hesitation but I think the template hierarchy makes it pretty clear:
author-{nicename}.php - If the author's nice name were rami, WordPress would look for author-
rami.php.
author-{id}.php - If the author's ID were 6, WordPress would look for author-6.php.
author.php
archive.php
index.php
Any other usage would be kinda hacky to me, especially targetting an ID or a user login with the CSS.
#3
@
4 years ago
- Component changed from Users to Themes
- Keywords 2nd-opinion removed
- Milestone Awaiting Review deleted
- Resolution set to maybelater
- Status changed from new to closed
I agree with @audrasjb that this is not something that should be changed.
The WordPress project also does not consider usernames or user IDs to be private or secure information. This is outlined in the Core Handbook on the Reporting Security Vulnerabilities page. As presented with the information available, the pros of removing this class do not outweigh the cons.
This issue should also become less and less common as more and more block-based themes are created.
I'm going to close this out as a maybelater. If more information presents itself to strengthen the case to remove this class, it can be reconsidered.
#4
@
4 years ago
I'm not reporting it as a security issue if you read me. User login is probably a piece of info, but it's not my point here, it's just a strange default behavior.
This issue should also become less and less common as more and more block-based themes are created.
I hope you're right 🤞🏻.
Hi @jmlapam and thanks for your ticket,
While this is a good point, I feel a bit hesitant about removing this, because of potential backward compatibility issues. Indeed, some developers may use these classes in their CSS to customize the archive. I agree it's probably an edge case, but definitely something to consider before removing the classes.