Multiple Themes: Correctly escape stylesheet URL

[Alberuni Azad.]

IN 'wp-content/themes/twentyeleven/header.php' on line '52' I've found that "bloginfo( 'stylesheet_url' )" was used without escaping. I know it's a silly issue. But I think we can improve it by escaping the URL for more consistency.

This has been discussed with a security team member who verified it's suitable as a public hardening issue.

[Alberuni Azad.]

Created patch.

[Alberuni Azad.]

Created another path for escaping the get_template_directory_uri() function

[costdev]

Hi @alberuni-azad, thanks for the patch! Can you update the patch so that this

esc_url( bloginfo( 'stylesheet_url' ) );

is changed to:

echo esc_url( get_bloginfo( 'stylesheet_url' ) );

Thanks!

[Alberuni Azad.]

Uploaded another patch.

[Alberuni Azad.]

Hi @costdev

Uploaded another patch https://core.trac.wordpress.org/attachment/ticket/56696/56696.3.diff

Please check now.

Thanks!

[sabernhardt]

1. Could we use the get_stylesheet_uri() function instead of get_bloginfo?
2. The stylesheet version date will be updated on #56450 (already mentioned in ​PR 3148 review).
3. The same escaping could be added in Twenty Ten's header.php.
4. The template directory function is also unescaped for Twenty Twelve to Twenty Fourteen, but we may remove those HTML5 scripts soon anyway (#56699). Twenty Fifteen already escapes the function.

[Alberuni Azad.]

Hi @sabernhardt

1. Since get_bloginfo( 'stylesheet_url' ) function using the get_stylesheet_uri() we can directly call that function instead of the bloginfo function.
2. I'm unsure which version this patch will be added, so I think once the ticket is confirmed, we can update the version date.

3 & 4. Yes, I've checked those files and noticed that the function is unescaped. Should I upload another patch for those themes too?

Anyway, Thank you so much for reviewing this ticket.

[sabernhardt]

If you would like to create patches for the other themes, too, that would be good :)

Then a committer can decide to change any or all of the themes.

Perhaps you could leave the stylesheet's modified date for now, to be edited on #56450 (or a later ticket) within days of the final release.

[Alberuni Azad.]

Created another patch for Twenty Eleven

[Alberuni Azad.]

Created a separated patch for Twenty twelve, thirteen and fourteen

[Alberuni Azad.]

@sabernhardt

I've uploaded 2 different patches. No 4 for the Twenty eleven and 5 no for the Twenty twelve, thirteen, and fourteen themes.

[desrosj]

In 54404:

Twenty Eleven: Pass template directory URLs through esc_url().

Props alberuni-azad, sabernhardt, costdev.
Fixes #56717. See #56696.

[desrosj]

56696.6.diff​ has a few more instances of this issue.

[desrosj]

In 54405:

Bundled Themes: Properly escape URLs.

This adds output escaping to several theme related URLs.

Props alberuni-azad, sabernhardt.
Fixes #56696.