Opened 3 years ago
Closed 3 years ago
#54362 closed defect (bug) (fixed)
Wrong Escaping Function
Reported by: | chintan1896 | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.9 | Priority: | normal |
Severity: | normal | Version: | 5.9 |
Component: | Plugins | Keywords: | has-patch needs-refresh good-first-bug |
Focuses: | administration | Cc: |
Description
Wrong Escaping Function Was Used in Plugin install File.
Attachments (3)
Change History (11)
#2
@
3 years ago
__()
is function used for translation. In this case, we are allowing translators to change URL (to point to different language version of https://wordpress.org/plugins/
, for example https://de.wordpress.org/plugins/
, https://sr.wordpress.org/plugins/
...).
Output of __()
should be escaped. There are some functions that merge translating and escaping functions (esc_attr__()
, esc_html__()
...).
#3
@
3 years ago
- Keywords 2nd-opinion dev-feedback added
The src
attribute value should be escaped. I understand the need to allow translators to change the URL to a different language but a better approach would be to make the URL filterable.
My proposal is this
- Make the URL filterable and then
- Escape the
src
attribute value
#4
@
3 years ago
- Component changed from General to Plugins
- Focuses administration added
- Keywords needs-refresh added; 2nd-opinion dev-feedback removed
- Milestone changed from Awaiting Review to 6.0
Thanks for the patch!
As noted above, we can add esc_url()
here, but the __()
call should not be removed to allow for the URL to be translated. So I think something like this should work here:
<?php echo esc_url( __( 'https://wordpress.org/plugins/' ) . $api->slug ); ?>
doesn't look like an error to me. This is the translation function used on several places for the same string