Opened 2 years ago
Closed 2 years ago
#56329 closed defect (bug) (fixed)
Unescaped 'self_admin_url()' in themes-install.php and plugin-install.php file
Reported by: | krishaweb | Owned by: | audrasjb |
---|---|---|---|
Milestone: | 6.1 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Upgrade/Install | Keywords: | has-patch |
Focuses: | coding-standards | Cc: |
Description
I've found that in 'wp-admin/includes/themes-install.php' and wp-admin/includes/themes-install.php file, there's 'self_admin_url()' used without escaping. I think it should be escaped.
Attachments (2)
Change History (9)
#1
@
2 years ago
Hello and welcome to WordPress Trac!
Thank you for opening this ticket. I'm only wondering whether self_admin_url()
can return anything else than an URL 🤔 If so, adding esc_url()
would be useless.
#2
@
2 years ago
Hello @audrasjb,
Here I found self_admin_url()
with esc_url()
function.
Ref:
https://github.com/WordPress/WordPress/blob/master/wp-admin/about.php#L329#L333
https://github.com/WordPress/WordPress/blob/master/wp-admin/user-edit.php#L246
#3
@
2 years ago
- Milestone changed from Awaiting Review to 6.1
Hi there, thanks for the patch!
It looks like core is not super consistent with this, but we do escape self_admin_url()
in some other places, so might as well do it here. As the function is filterable, adding the escaping would not hurt.
This would also be consistent with similar changes for admin_url()
in [51177] and network_admin_url()
in [51189].
#4
@
2 years ago
- Owner set to audrasjb
- Status changed from new to accepted
Alright, let's improve self_admin_url()
use consistency then, thanks for reviewing it Sergey :)
Also found in wp-admin/update-core.php and wp-admin/plugins.php file