unescaped 'home_url()' in 'wp-admin/themes.php' file in 'line 269'

[obayedmamur]

Hi there, 🙂

It's my first ticket at WordPress core.

I've found that in 'wp-admin/themes.php' file, in line number 269 there's 'home_url()' used without escaping. I think it should be escaped.

[hztyfoon]

Hey @obayedmamur, thanks for your contribution to WordPress. Hope you'll continue your contribution.

[hurayraiit]

Good finding! This should do the trick. :-)

[costdev]

Hi @obayedmamur, welcome to Trac and thanks for the patch!

The patch looks good to me. 👍

[hurayraiit]

Hi @costdev,
Thank you so much.

[desrosj]

@hurayraiit It looks like there is a second instance of home_url() not being wrapped with esc_url() that 56145.patch​ fixes, but the one mentioned in the original ticket title is not corrected.

Could you change both at the same time in one patch?

[hurayraiit]

Replying to desrosj:

@hurayraiit It looks like there is a second instance of home_url() not being wrapped with esc_url() that 56145.patch​ fixes, but the one mentioned in the original ticket title is not corrected.

Could you change both at the same time in one patch?

Yeah, absolutely. Let me check please.

[hurayraiit]

Hi @desrosj
Thanks for the comment. I have attached the patch for line 273 also in the second attachment(56145_1.patch). Please let me know if there's anything else I can do.

[costdev]

Related ticket: #56146

[obayedmamur]

Thanks to everyone for your quick response! Loved it! 💖

[hztyfoon]

Related ticket: #56132, #56133, #56146

[hztyfoon]

Both patches looks good to me. Good Work. Thanks @hurayraiit for your contribution.

[desrosj]

#56146 was marked as a duplicate.

[desrosj]

In 53677:

Themes: Properly escape home_url() when changing and updating themes.

Props obayedmamur, hurayraiit, costdev, shraboni, msnewas.
Fixes #56145.