Make WordPress Core

Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#56133 closed defect (bug) (fixed)

URL escaping added in 'class-custom-background.php' file

Reported by: robinwpdeveloper's profile robinwpdeveloper Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.1 Priority: normal
Severity: normal Version: 3.0
Component: Customize Keywords: has-patch
Focuses: administration, coding-standards Cc:


My first ticket and really excited to contribute to the WordPress core.
Let me know if I need anything else to do.

Change History (10)

This ticket was mentioned in PR #2938 on WordPress/wordpress-develop by robinwpdeveloper.

22 months ago

  • Keywords has-patch added

Trac ticket: 56133

#2 @sajjad67
22 months ago

  • Keywords has-patch removed

Hi @robinwpdeveloper

Welcome to WP Community! You are more than welcome here to share your opinion and do contribution to make wp even better! Please add some more descriptions of your ticket and possibly add a patch file to see what you have in mind and how it benefits & improves WP!!

#3 @rudlinkon
22 months ago

  • Keywords has-patch added

#4 @robinwpdeveloper
22 months ago

File path: src/wp-admin/includes/class-custom-background.php
Here home_url( '/' ) is used (Line: 253) without any escaping.

But in other files (e.x. wp-login.php - Line 289) esc_url is used to escape home_url() properly.

We need to do the same in src/wp-admin/includes/class-custom-background.php too.

Happy Coding :)

#5 @costdev
22 months ago

  • Version changed from trunk to 3.0

Related ticket: #56132

#6 follow-up: @costdev
22 months ago

  • Milestone changed from Awaiting Review to 6.1

Hi @robinwpdeveloper, welcome to Trac and thanks for the patch! Let's milestone this for 6.1.

@SergeyBiryukov, I see you're listed as the owner. Do you think this patch has anything else to consider, or is it good to go?

Also see the related ticket #56132 for another unescaped instance of home_url().

#7 @SergeyBiryukov
22 months ago

  • Component changed from Administration to Customize

#8 in reply to: ↑ 6 @SergeyBiryukov
22 months ago

Replying to costdev:

Do you think this patch has anything else to consider, or is it good to go?

I think this looks good :) Thanks everyone!

#9 @SergeyBiryukov
22 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 53643:

Coding Standards: Escape the home URL in the "Background updated. Visit your site" message.

This affects Custom_Background::admin_page().

Follow-up to [13041], [45662], [53642].

Props robinwpdeveloper, sajjad67, rudlinkon, hztyfoon, costdev.
Fixes #56133.

SergeyBiryukov commented on PR #2938:

22 months ago

Thanks for the PR! Merged in r53643.

Note: See TracTickets for help on using tickets.