Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#56329 closed defect (bug) (fixed)

Unescaped 'self_admin_url()' in themes-install.php and plugin-install.php file

Reported by: krishaweb's profile krishaweb Owned by: audrasjb's profile audrasjb
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords: has-patch
Focuses: coding-standards Cc:

Description

I've found that in 'wp-admin/includes/themes-install.php' and wp-admin/includes/themes-install.php file, there's 'self_admin_url()' used without escaping. I think it should be escaped.

Attachments (2)

56329.patch (1.9 KB) - added by krishaweb 2 years ago.
56329.2.patch (3.0 KB) - added by krishaweb 2 years ago.
Also found in wp-admin/update-core.php and wp-admin/plugins.php file

Download all attachments as: .zip

Change History (9)

@krishaweb
2 years ago

@krishaweb
2 years ago

Also found in wp-admin/update-core.php and wp-admin/plugins.php file

#1 @audrasjb
2 years ago

Hello and welcome to WordPress Trac!

Thank you for opening this ticket. I'm only wondering whether self_admin_url() can return anything else than an URL 🤔 If so, adding esc_url() would be useless.

#3 @SergeyBiryukov
2 years ago

  • Milestone changed from Awaiting Review to 6.1

Hi there, thanks for the patch!

It looks like core is not super consistent with this, but we do escape self_admin_url() in some other places, so might as well do it here. As the function is filterable, adding the escaping would not hurt.

This would also be consistent with similar changes for admin_url() in [51177] and network_admin_url() in [51189].

#4 @audrasjb
2 years ago

  • Owner set to audrasjb
  • Status changed from new to accepted

Alright, let's improve self_admin_url() use consistency then, thanks for reviewing it Sergey :)

#5 @audrasjb
2 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 53839:

Coding standards: Properly escape URLs returned by self_admin_url() calls.

Props krishaweb, audrasjb, SergeyBiryukov.
Fixes #56329.

#6 @audrasjb
2 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening to address some other echoed self_admin_url() calls.

#7 @audrasjb
2 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 53840:

Coding standards: Properly escape URLs returned by self_admin_url() calls.

This address some other echoed instances missed by [53839].

Fixes #56329.

Note: See TracTickets for help on using tickets.