Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#56133 closed defect (bug) (fixed)

URL escaping added in 'class-custom-background.php' file

Reported by: robinwpdeveloper's profile robinwpdeveloper Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.1 Priority: normal
Severity: normal Version: 3.0
Component: Customize Keywords: has-patch
Focuses: administration, coding-standards Cc:

Description

My first ticket and really excited to contribute to the WordPress core.
Let me know if I need anything else to do.

Change History (10)

This ticket was mentioned in PR #2938 on WordPress/wordpress-develop by robinwpdeveloper.


2 years ago
#1

  • Keywords has-patch added

Trac ticket: 56133

#2 @sajjad67
2 years ago

  • Keywords has-patch removed

Hi @robinwpdeveloper

Welcome to WP Community! You are more than welcome here to share your opinion and do contribution to make wp even better! Please add some more descriptions of your ticket and possibly add a patch file to see what you have in mind and how it benefits & improves WP!!

#3 @rudlinkon
2 years ago

  • Keywords has-patch added

#4 @robinwpdeveloper
2 years ago

File path: src/wp-admin/includes/class-custom-background.php
Here home_url( '/' ) is used (Line: 253) without any escaping.

But in other files (e.x. wp-login.php - Line 289) esc_url is used to escape home_url() properly.

We need to do the same in src/wp-admin/includes/class-custom-background.php too.

Happy Coding :)

#5 @costdev
2 years ago

  • Version changed from trunk to 3.0

Related ticket: #56132

#6 follow-up: @costdev
2 years ago

  • Milestone changed from Awaiting Review to 6.1

Hi @robinwpdeveloper, welcome to Trac and thanks for the patch! Let's milestone this for 6.1.

@SergeyBiryukov, I see you're listed as the owner. Do you think this patch has anything else to consider, or is it good to go?

Also see the related ticket #56132 for another unescaped instance of home_url().

#7 @SergeyBiryukov
2 years ago

  • Component changed from Administration to Customize

#8 in reply to: ↑ 6 @SergeyBiryukov
2 years ago

Replying to costdev:

Do you think this patch has anything else to consider, or is it good to go?

I think this looks good :) Thanks everyone!

#9 @SergeyBiryukov
2 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 53643:

Coding Standards: Escape the home URL in the "Background updated. Visit your site" message.

This affects Custom_Background::admin_page().

Follow-up to [13041], [45662], [53642].

Props robinwpdeveloper, sajjad67, rudlinkon, hztyfoon, costdev.
Fixes #56133.

SergeyBiryukov commented on PR #2938:


2 years ago
#10

Thanks for the PR! Merged in r53643.

Note: See TracTickets for help on using tickets.