WordPress.org

Make WordPress Core

Opened 7 weeks ago

Closed 6 weeks ago

Last modified 5 weeks ago

#54279 closed enhancement (fixed)

Unescaped echo in wp-includes/general-template.php

Reported by: sabbirshouvo Owned by: SergeyBiryukov
Milestone: 5.9 Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: has-patch commit
Focuses: coding-standards Cc:

Description

In wp-includes/general-template.php -> wp_login_form() there are unescaped value for form name & id that should be properly escaped with esc_attr()

Attachments (2)

54279.diff (865 bytes) - added by sabbirshouvo 7 weeks ago.
54279.3.diff (2.1 KB) - added by sabbirshouvo 7 weeks ago.
move multiple variables to reusable single variable

Download all attachments as: .zip

Change History (10)

@sabbirshouvo
7 weeks ago

#1 @mukesh27
7 weeks ago

  • Component changed from General to Login and Registration
  • Milestone changed from Awaiting Review to 5.9
  • Version trunk deleted

Hi there, thanks for the ticket and patch!

The patch looks good to me just one thought, For below three variable we used two times esc_attr can we assign escape value in single variable and pass it?

esc_attr( $args['form_id'] )
esc_attr( $args['id_username'] )
esc_attr( $args['id_password'] )

Moving to milestone 5.9.

#2 @sabbirshouvo
7 weeks ago

@mukesh27 sure it's possible. I'm looking into the codes and will make necessary adjustment to the patch.

@sabbirshouvo
7 weeks ago

move multiple variables to reusable single variable

#3 @mukesh27
7 weeks ago

Thanks for the updated patch. Let's wait to other dev comment.

#4 @audrasjb
7 weeks ago

  • Type changed from defect (bug) to enhancement

According to WordPress Coding Standards, the rule here is to escape late, so better not using those variables.

#5 @henry.wright
6 weeks ago

I prefer the 54279.diff patch to 54279.3.diff. It escapes late like @audrasjb suggested.

#6 @audrasjb
6 weeks ago

  • Keywords commit added

Adding commit keyword for 54279.diff which is the best option according to WordPress Coding Standards.

#7 @SergeyBiryukov
6 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 51926:

Coding Standards: Improve escaping in wp_login_form().

  • Split long concatenated lines using sprintf(). This aims to improve readability and avoid multiple esc_attr() calls for the same value.
  • Escape the form name and id attributes.

Follow-up to [12696], [18444], [19033].

Props sabbirshouvo, mukesh27, audrasjb, henry.wright, SergeyBiryukov.
Fixes #54279.

This ticket was mentioned in Slack in #core by sergey. View the logs.


5 weeks ago

Note: See TracTickets for help on using tickets.