Opened 3 years ago
Closed 3 years ago
#56117 closed defect (bug) (invalid)
Need escaping in class-wp-rest-widget-types-controller file
Reported by: | priyankkpatel | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | |
Focuses: | Cc: |
Description
in /wp-includes/rest-api/endpoints/class/class-wp-rest-widget-types-controller.php
file, need escaping on function render_legacy_widget_preview_iframe
.
Attaching patch for the same.
Attachments (1)
Change History (4)
#2
in reply to:
↑ 1
@
3 years ago
Hi, @TimothyBlynJacobs ,
I think since it's a request parameter from the function itself we can escape these values while calling.
#3
@
3 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
WordPress practices late escaping. In other words, unsafe values should be escaped as close to their output as possible. Preemptively escaping every value that is passed to a function would be unnecessary and can sometimes lead to security issues itself.
Instead, you'd need to look at the function being called, render_block_core_legacy_widget
and evaluate if there were any places where output was generated without being properly escaped.
Hi @priyankkpatel,
Why should these values be escaped?