Use esc_html() to escaping variable in about page

[sayedulsayem]

On about.php there is a variable echo without escaping. like

<?php echo $display_version; ?>

to print the WordPress version. On others file, this kind of print use esc_html() escaping.
It should have to use there also.

[sayedulsayem]

Created patch.

[audrasjb]

Yes, it doesn't hurt. Patch looks good to me.
Removing trunk version as it wasn't really introduced in WP 5.8 :)

[rehanali]

Created patch

[audrasjb]

@rehanali thanks, but it is not necessary to create a new patch with the same exact content than the previous one :)

[audrasjb]

also @rehanali you have to create your diff file against the wordpress-develop folder location ;)

[mukesh27]

Hi there, Thanks for the ticket and patch!

Please add brackets before and after $display_version?

<?php echo esc_html( $display_version ); ?>

Remove commit for now.

[sayedulsayem]

Added space before and after in function params

[sayedulsayem]

Thank you for pointing out this title mistake. I added another patch with the mentioned change.
Replying to mukesh27:

Hi there, Thanks for the ticket and patch!

Please add brackets before and after $display_version?

<?php echo esc_html( $display_version ); ?>

Remove commit for now.

[mukesh27]

Thanks for the quick patch.

Ready to marge. Mark as commit

[desrosj]

Thanks everyone for taking a look at this!

I've done some looking back at past versions to see if $display_version has been escaped in the past, and it looks like it never was.

Looking into why, my assumption is most likely that $wp_version can generally be considered trusted. get_bloginfo( 'version' ) returns the value stored in the $wp_version global variable. Though there are filters in get_bloginfo(), the value is not passed through either of them because the default context is raw, not display.

I'm going to close this out as wontfix following precedent.