#56110 closed defect (bug) (invalid)
Need to use esc_html__ escaping function
Reported by: | kartikpatel | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 6.1 |
Component: | Administration | Keywords: | has-patch |
Focuses: | Cc: |
Description (last modified by )
Need to use esc_html__
escaping function instead of __
in wp-admin/options-permalink.php file.
Attachments (1)
Change History (7)
#3
in reply to:
↑ 2
@
2 years ago
- Keywords close 2nd-opinion removed
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
Replying to SergeyBiryukov:
The
$blog_prefix
and$prefix
values here are hardcoded and not user-editable, so it's not quite clear why they should be escaped.
I agree with this assessment, so closing this one out. @kartikpatel if you still feel that esc_html__
should be used here instead and are able provide additional details why, feel free to reopen.
#4
follow-up:
↓ 5
@
2 years ago
I agree with keeping the translated string and the prefix variables as they are.
However, I think replacing the six instances of get_option( 'home' )
with a variable that escapes home_url()
could improve the code.
$url_base = esc_url( home_url() );
Would that belong on a new ticket?
#5
in reply to:
↑ 4
@
2 years ago
Replying to sabernhardt:
However, I think replacing the six instances of
get_option( 'home' )
with a variable that escapeshome_url()
could improve the code.
Good point! That would remove a few repeated function calls.
Would that belong on a new ticket?
I think a new ticket might be cleaner, as it seems a bit out of scope of the original suggestion. However, as that would touch the same code, we could also repurpose this one. I don't have a strong preference here :)
Hi there, welcome back to WordPress Trac! Thanks for the ticket and the patch.
Core translations are considered safe because we have a review process for them, see #42639 and the discussion in #30724. (Also related: #32233, #44637.)
In WordPress core and older bundled themes, strings are generally only escaped in attributes or in
<option>
tags. However, this was recently reconsidered for newer bundled themes, see comment:5:ticket:54127.Some other related tickets: #47384, #47385, #49535, #49536, #49537.
The
$blog_prefix
and$prefix
values here are hardcoded and not user-editable, so it's not quite clear why they should be escaped.