Make WordPress Core

Opened 2 years ago

Closed 23 months ago

#56101 closed defect (bug) (fixed)

Need to use esc_html escaping function instead of esc_attr.

Reported by: chintan1896's profile chintan1896 Owned by: audrasjb's profile audrasjb
Milestone: 6.1 Priority: normal
Severity: normal Version: 2.7
Component: Comments Keywords: has-patch commit
Focuses: Cc:


Need to use esc_html escaping function instead of esc_attr in class-wp-comments-list-table.php file.

Attachments (1)

56101.patch (1.0 KB) - added by chintan1896 2 years ago.

Download all attachments as: .zip

Change History (6)

2 years ago

#1 @afragen
2 years ago

Seems correct in both reasoning and patch.

#2 @peterwilsoncc
2 years ago

  • Component changed from Administration to Comments
  • Milestone changed from Awaiting Review to 6.1
  • Version changed from trunk to 3.1

I've put this on the milestone for inclusion in WP 6.1.

The bug was introduced with the comment list table in [15955] during WordPress 3.1 so I've set the version accordingly.

#3 @SergeyBiryukov
2 years ago

  • Keywords commit added
  • Version changed from 3.1 to 2.7

Hi there, thanks for the patch! It looks good to me and seems to match the escaping of comment author's email in WP_Comments_List_Table::column_author().

This was not introduced in [15955] though, it dates back to [9098] / #7435 for WP 2.7, followed by [11109] and [11204].

#4 @audrasjb
23 months ago

  • Owner set to audrasjb
  • Status changed from new to accepted

Self assigning for commit, as it looks good to go.

#5 @audrasjb
23 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 53640:

Comments: Use more appropriate escaping functions in class WP_Comments_List_Table.

This changeset replaces esc_attr escaping function with esc_html as it is more appropriate in this context.

Props chintan1896, afragen, peterwilsoncc, SergeyBiryukov.
Fixes #56101.

Note: See TracTickets for help on using tickets.