#57093 closed defect (bug) (fixed)
Some HTML attributes are missing the esc_attr_e
Reported by: | kowsar89 | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 6.2 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | has-patch changes-requested |
Focuses: | Cc: |
Description
I found two strings inside HTML attributes where escaping is missing. These should be escaped too, since strings inside HTML attributes are escaped everywhere.
wp-admin/nav-menus.php
<input type="button" class="deletion menu-items-delete disabled" value="<?php _e( 'Remove Selected Items' ); ?>">
wp-admin/widgets-form.php:
<input type="submit" name="removewidget" id="removewidget" class="button-link button-link-delete widget-control-remove" value="<?php _e( 'Delete' ); ?>" />
Attachments (2)
Change History (12)
This ticket was mentioned in PR #3612 on WordPress/wordpress-develop by kowsar89.
2 years ago
#1
- Keywords has-patch added
#3
@
2 years ago
- Component changed from General to Administration
- Milestone changed from Awaiting Review to 6.2
#4
@
2 years ago
Hi, I have checked kowsar89’s code and uploaded the patch file here. I didn't find any other HTML attributes where escaping is missing.
#5
@
2 years ago
Hi there, welcome back to WordPress Trac! Thanks for the ticket and the patch.
I think you're right, these should be escaped.
I have found one more instance that should be patched, see line 527 in wp-admin/includes/nav-menu.php.
#6
@
2 years ago
- Keywords changes-requested added
Searching for ="<?php _e
in the codebase, I only find 3 occurrences:
wp-admin/nav-menus.php
: one occurrence, already addressed in PR3612wp-admin/widget-form.php
: one occurrence, already addressed in PR3612wp-admin/includes/nav-menu.php
: needs to be added to the PR
@riccardodicurti would you like to add a new patch with the missing occurrence? Thanks :)
#8
@
2 years ago
- Summary changed from Some html attributes are missing the esc_attr_e to Some HTML attributes are missing the esc_attr_e
Yes, there are only 3 occurrences in the codebase. And those are updated in [PR 3612]https://github.com/WordPress/wordpress-develop/pull/3612/.
PR LGTM
#10
@
2 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 54834:
@SergeyBiryukov commented on PR #3612:
2 years ago
#11
Thanks for the PR! Merged in r54834.
Trac ticket: https://core.trac.wordpress.org/ticket/57093