Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#56117 closed defect (bug) (invalid)

Need escaping in class-wp-rest-widget-types-controller file

Reported by: priyankkpatel's profile priyankkpatel Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords:
Focuses: Cc:

Description

in /wp-includes/rest-api/endpoints/class/class-wp-rest-widget-types-controller.php file, need escaping on function render_legacy_widget_preview_iframe.
Attaching patch for the same.

Attachments (1)

56117.patch (723 bytes) - added by priyankkpatel 3 years ago.

Download all attachments as: .zip

Change History (4)

@priyankkpatel
3 years ago

#1 follow-up: @TimothyBlynJacobs
3 years ago

Hi @priyankkpatel,

Why should these values be escaped?

#2 in reply to: ↑ 1 @priyankkpatel
3 years ago

Hi, @TimothyBlynJacobs ,

I think since it's a request parameter from the function itself we can escape these values while calling.

#3 @TimothyBlynJacobs
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

WordPress practices late escaping. In other words, unsafe values should be escaped as close to their output as possible. Preemptively escaping every value that is passed to a function would be unnecessary and can sometimes lead to security issues itself.

Instead, you'd need to look at the function being called, render_block_core_legacy_widget and evaluate if there were any places where output was generated without being properly escaped.

Note: See TracTickets for help on using tickets.