Opened 16 months ago
Closed 16 months ago
#56329 closed defect (bug) (fixed)
Unescaped 'self_admin_url()' in themes-install.php and plugin-install.php file
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 6.1 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Upgrade/Install | Keywords: | has-patch |
Focuses: | coding-standards | Cc: |
Description
I've found that in 'wp-admin/includes/themes-install.php' and wp-admin/includes/themes-install.php file, there's 'self_admin_url()' used without escaping. I think it should be escaped.
Attachments (2)
Change History (9)
#1
@
16 months ago
Hello and welcome to WordPress Trac!
Thank you for opening this ticket. I'm only wondering whether self_admin_url()
can return anything else than an URL 🤔 If so, adding esc_url()
would be useless.
#2
@
16 months ago
Hello @audrasjb,
Here I found self_admin_url()
with esc_url()
function.
Ref:
https://github.com/WordPress/WordPress/blob/master/wp-admin/about.php#L329#L333
https://github.com/WordPress/WordPress/blob/master/wp-admin/user-edit.php#L246
#3
@
16 months ago
- Milestone changed from Awaiting Review to 6.1
Hi there, thanks for the patch!
It looks like core is not super consistent with this, but we do escape self_admin_url()
in some other places, so might as well do it here. As the function is filterable, adding the escaping would not hurt.
This would also be consistent with similar changes for admin_url()
in [51177] and network_admin_url()
in [51189].
#4
@
16 months ago
- Owner set to audrasjb
- Status changed from new to accepted
Alright, let's improve self_admin_url()
use consistency then, thanks for reviewing it Sergey :)
Also found in wp-admin/update-core.php and wp-admin/plugins.php file