#54277 closed defect (bug) (fixed)
values within loop should be escaped properly before echo `wp-admin/theme-install.php`
Reported by: | sabbirshouvo | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Themes | Keywords: | has-patch |
Focuses: | coding-standards | Cc: |
Description
In wp-admin/theme-install.php
line 232 $feature_name
is not escaped properly before echo the value. It should be escaped. In a similar scenario in file wp-admin/includes/theme-install.php
same variable is escaped with esc_html( )
Attachments (3)
Change History (12)
#2
in reply to:
↑ 1
@
3 years ago
Replying to afragen:
Since it’s a variable, shouldn’t that be
esc_attr()
?
I've used wp-admin/includes/theme-install.php line 149
as a reference.
#3
@
3 years ago
- Version trunk deleted
Using esc_html()
would be appropriate for the label text; the category name's variable is escaped the same way for the legend
tag on line 226.
Side note: I got confused by both variables named $feature_name
because the first foreach
loop refers to the feature category name. Could we change that variable to $category_name
(or something similar)?
#4
@
3 years ago
Can we use escaped value directly instead of set variable for the escape value then use for print?
$feature_category = esc_html( $feature_category ); echo '<legend>' . $feature_category . '</legend>';
Should be
echo '<legend>' . esc_html( $feature_category ) . '</legend>';
#5
@
3 years ago
Actually, my original patch is for the next two variables. The variable $feature_name
was not properly escaped. And your suggestion looks good too. Should I make changes to my patch? @mukesh27
#8
@
3 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 51923:
escape
$feature_name
usingesc_html()