Opened 20 months ago
Closed 19 months ago
#54256 closed enhancement (fixed)
Properly escape url and attributes in wp-admin/themes.php
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Themes | Keywords: | has-patch |
Focuses: | coding-standards | Cc: |
Description
There are multiple unescaped url and attributes in wp-admin/themes.php
It's against WordPress coding standard.
Attachments (3)
Change History (11)
#2
follow-up:
↓ 4
@
20 months ago
- Version trunk deleted
I think most of these variables don't need to be escaped, since they are generated by WordPress itself and can't be edited in any way.
(removing trunk
version)
#3
@
20 months ago
In my opinion, the only one where we may perhaps consider an escaping function is $theme['screenshot'][0]
.
#4
in reply to:
↑ 2
@
20 months ago
Replying to audrasjb:
I think most of these variables don't need to be escaped, since they are generated by WordPress itself and can't be edited in any way.
(removing
trunk
version)
Thanks for you feedback. I want to mention about few cases where same attributes are escaped and some are not in the same file.
/wp-admin/themes.php
Please check line: 535,548,555,567,870,894,907,913
if these needs attribute escaping then why not line 1120,1129,1140
?
Patch added