Make WordPress Core

Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#57093 closed defect (bug) (fixed)

Some HTML attributes are missing the esc_attr_e

Reported by: kowsar89's profile kowsar89 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.2 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch changes-requested
Focuses: Cc:


I found two strings inside HTML attributes where escaping is missing. These should be escaped too, since strings inside HTML attributes are escaped everywhere.


<input type="button" class="deletion menu-items-delete disabled" value="<?php _e( 'Remove Selected Items' ); ?>">


<input type="submit" name="removewidget" id="removewidget" class="button-link button-link-delete widget-control-remove" value="<?php _e( 'Delete' ); ?>" />

Attachments (2)

3612.patch (1.7 KB) - added by riccardodicurti 17 months ago.
3612.2.diff (2.9 KB) - added by riccardodicurti 17 months ago.

Download all attachments as: .zip

Change History (12)

This ticket was mentioned in PR #3612 on WordPress/wordpress-develop by kowsar89.

17 months ago

  • Keywords has-patch added

#3 @SergeyBiryukov
17 months ago

  • Component changed from General to Administration
  • Milestone changed from Awaiting Review to 6.2

#4 @riccardodicurti
17 months ago

Hi, I have checked kowsar89’s code and uploaded the patch file here. I didn't find any other HTML attributes where escaping is missing.

#5 @SergeyBiryukov
17 months ago

Hi there, welcome back to WordPress Trac! Thanks for the ticket and the patch.

I think you're right, these should be escaped.

I have found one more instance that should be patched, see line 527 in wp-admin/includes/nav-menu.php.

#6 @audrasjb
17 months ago

  • Keywords changes-requested added

Searching for ="<?php _e in the codebase, I only find 3 occurrences:

  • wp-admin/nav-menus.php: one occurrence, already addressed in PR3612
  • wp-admin/widget-form.php: one occurrence, already addressed in PR3612
  • wp-admin/includes/nav-menu.php: needs to be added to the PR

@riccardodicurti would you like to add a new patch with the missing occurrence? Thanks :)

#7 @kowsar89
17 months ago

I have updated the PR with the fix in file wp-admin/includes/nav-menu.php

#8 @krupalpanchal
17 months ago

  • Summary changed from Some html attributes are missing the esc_attr_e to Some HTML attributes are missing the esc_attr_e

Yes, there are only 3 occurrences in the codebase. And those are updated in [PR 3612]

#9 @riccardodicurti
17 months ago

I also updated the patch here.

#10 @SergeyBiryukov
17 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 54834:

Administration: Add missing escaping for a few strings used as HTML attributes.

Follow-up to [47209], [50997], [51006].

Props kowsar89, riccardodicurti, audrasjb, krupalpanchal, SergeyBiryukov.
Fixes #57093.

@SergeyBiryukov commented on PR #3612:

17 months ago

Thanks for the PR! Merged in r54834.

Note: See TracTickets for help on using tickets.