#54279 closed enhancement (fixed)
Unescaped echo in wp-includes/general-template.php
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | has-patch commit |
Focuses: | coding-standards | Cc: |
Description
In wp-includes/general-template.php
-> wp_login_form()
there are unescaped value for form name & id that should be properly escaped with esc_attr()
Attachments (2)
Change History (10)
#1
@
20 months ago
- Component changed from General to Login and Registration
- Milestone changed from Awaiting Review to 5.9
- Version trunk deleted
#2
@
20 months ago
@mukesh27 sure it's possible. I'm looking into the codes and will make necessary adjustment to the patch.
#4
@
20 months ago
- Type changed from defect (bug) to enhancement
According to WordPress Coding Standards, the rule here is to escape late, so better not using those variables.
#5
@
20 months ago
I prefer the 54279.diff patch to 54279.3.diff. It escapes late like @audrasjb suggested.
#6
@
20 months ago
- Keywords commit added
Adding commit
keyword for 54279.diff
which is the best option according to WordPress Coding Standards.
#7
@
20 months ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 51926:
This ticket was mentioned in Slack in #core by sergey. View the logs.
20 months ago
Note: See
TracTickets for help on using
tickets.
Hi there, thanks for the ticket and patch!
The patch looks good to me just one thought, For below three variable we used two times
esc_attr
can we assign escape value in single variable and pass it?esc_attr( $args['form_id'] )
esc_attr( $args['id_username'] )
esc_attr( $args['id_password'] )
Moving to milestone
5.9
.