Make WordPress Core

#56329 closed defect (bug) (fixed)

Unescaped 'self_admin_url()' in themes-install.php and plugin-install.php file

Reported by: krishaweb's profile krishaweb Owned by: audrasjb's profile audrasjb
Milestone: 6.1 Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords: has-patch
Focuses: coding-standards Cc:

Description

I've found that in 'wp-admin/includes/themes-install.php' and wp-admin/includes/themes-install.php file, there's 'self_admin_url()' used without escaping. I think it should be escaped.

Attachments (2)

56329.patch (1.9 KB) - added by krishaweb 22 months ago.
56329.2.patch (3.0 KB) - added by krishaweb 22 months ago.
Also found in wp-admin/update-core.php and wp-admin/plugins.php file

Download all attachments as: .zip

Change History (9)

@krishaweb
22 months ago

@krishaweb
22 months ago

Also found in wp-admin/update-core.php and wp-admin/plugins.php file

#1 @audrasjb
22 months ago

Hello and welcome to WordPress Trac!

Thank you for opening this ticket. I'm only wondering whether self_admin_url() can return anything else than an URL 🤔 If so, adding esc_url() would be useless.

#3 @SergeyBiryukov
22 months ago

  • Milestone changed from Awaiting Review to 6.1

Hi there, thanks for the patch!

It looks like core is not super consistent with this, but we do escape self_admin_url() in some other places, so might as well do it here. As the function is filterable, adding the escaping would not hurt.

This would also be consistent with similar changes for admin_url() in [51177] and network_admin_url() in [51189].

#4 @audrasjb
22 months ago

  • Owner set to audrasjb
  • Status changed from new to accepted

Alright, let's improve self_admin_url() use consistency then, thanks for reviewing it Sergey :)

#5 @audrasjb
22 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 53839:

Coding standards: Properly escape URLs returned by self_admin_url() calls.

Props krishaweb, audrasjb, SergeyBiryukov.
Fixes #56329.

#6 @audrasjb
22 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening to address some other echoed self_admin_url() calls.

#7 @audrasjb
22 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 53840:

Coding standards: Properly escape URLs returned by self_admin_url() calls.

This address some other echoed instances missed by [53839].

Fixes #56329.

Note: See TracTickets for help on using tickets.