Unescaped 'self_admin_url()' in themes-install.php and plugin-install.php file

[krishaweb]

I've found that in 'wp-admin/includes/themes-install.php' and wp-admin/includes/themes-install.php file, there's 'self_admin_url()' used without escaping. I think it should be escaped.

[krishaweb]

Also found in wp-admin/update-core.php and wp-admin/plugins.php file

[audrasjb]

Hello and welcome to WordPress Trac!

Thank you for opening this ticket. I'm only wondering whether self_admin_url() can return anything else than an URL 🤔 If so, adding esc_url() would be useless.

[krishaweb]

Hello @audrasjb,
Here I found self_admin_url() with esc_url() function.

Ref:
​https://github.com/WordPress/WordPress/blob/master/wp-admin/about.php#L329#L333
​https://github.com/WordPress/WordPress/blob/master/wp-admin/user-edit.php#L246

[SergeyBiryukov]

Hi there, thanks for the patch!

It looks like core is not super consistent with this, but we do escape self_admin_url() in some other places, so might as well do it here. As the function is filterable, adding the escaping would not hurt.

This would also be consistent with similar changes for admin_url() in [51177] and network_admin_url() in [51189].

[audrasjb]

Alright, let's improve self_admin_url() use consistency then, thanks for reviewing it Sergey :)

[audrasjb]

In 53839:

Coding standards: Properly escape URLs returned by self_admin_url() calls.

Props krishaweb, audrasjb, SergeyBiryukov.
Fixes #56329.

[audrasjb]

Reopening to address some other echoed self_admin_url() calls.

[audrasjb]

In 53840:

Coding standards: Properly escape URLs returned by self_admin_url() calls.

This address some other echoed instances missed by [53839].

Fixes #56329.