#56158 closed defect (bug) (invalid)
Twenty Fourteen: Unescaped 'src' of an 'img' tag in 'header.php’
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Bundled Theme | Keywords: | |
Focuses: | coding-standards | Cc: |
Description
Hello everyone,
It's my first ticket in WordPress Core. Excited to contribute to WordPress Core. I've found an issue with an unescaped 'src' of an 'img' tag in 'wp-content/themes/twentyfourteen/header.php' in line 39. I think it should be escaped.
Attachments (3)
Change History (12)
@
3 years ago
Hi @Mahbub, thanks for sharing the issue with us. I have attached a patch related to this issue. I hope this will solve your issue. Thank you.
#2
@
3 years ago
Hey @amitbarai013 @mahbubshovan. 🤗
Welcome to WordPress core. Thanks for pointing the issue @mahbubshovan.
No worries. @amitbarai013 U've made rain of patches.
The patch looks good to me
#3
@
3 years ago
- Component changed from Themes to Bundled Theme
- Focuses administration removed
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from assigned to closed
Hello @mahbubshovan, welcome to WordPress Trac!
header_image()
doesn't return the image URL but rather prints it directly and already uses esc_url()
before doing that. You can review the source of the function in the code reference.
#4
@
3 years ago
Hello and welcome to WordPress Core Trac!
Thanks @mahbubshovan for opening the ticket and thanks @amitbarai013 for the patch.
However, I'm not sure this is really needed since header_image()
already uses esc_url()
on the returned string.
Source code: https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-includes/theme.php#L1397-L1403
Also, the url returned by header_image()
is not filterable, so it looks like the string can't be altered.
#5
@
3 years ago
Ah Dominik beat me on this :)
(by the way, maybe we could consider adding a filter in header_image()
, but that would be for another ticket!)
#7
@
3 years ago
- Summary changed from I've found an unescaped 'src' of an 'img' tag in 'wp-content/themes/twentyfourteen/header.php’ in line no 39. I think it should be escaped to Twenty Fourteen: Unescaped 'src' of an 'img' tag in 'header.php’
#8
@
3 years ago
Hey @audrasjb. 🤗
Thanks a lot for your kind remarks.
I tried to implement your idea.
I thought rather than creating a new ticket I can just share the work here so that you all can see if it looks good, rather than creating a ticket that may later be closed. 😊
Here's what I did:https://github.com/hz-tyfoon/wordpress-develop/commit/a04d438acedb5357c86faa06c19a8c574de3527f
Would U be kind to let me know how it looks...?
Hi @Mahbub,