Make WordPress Core

#57165 closed defect (bug) (invalid)

Add escaping in widget archives page

Reported by: jaedm97's profile jaedm97 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Widgets Keywords:
Focuses: Cc:

Description

In the widget class-wp-widget-archives.php, there is a missing escaping of $title;, Here is the code -

<label class="screen-reader-text" for="<?php echo esc_attr( $dropdown_id ); ?>"><?php echo $title; ?></label>

Attachments (1)

57165.diff (768 bytes) - added by jaedm97 19 months ago.
Created patch.

Download all attachments as: .zip

Change History (3)

@jaedm97
19 months ago

Created patch.

#1 @jaedm97
19 months ago

  • Keywords has-patch added

#2 @ocean90
19 months ago

  • Keywords has-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version trunk deleted

Hello there, $title can contain HTML depending on whether the widget's before_title/after_title arguments are set.

The title as entered by the user is already escaped through the widget_title filter and esc_html(), see https://core.trac.wordpress.org/browser/tags/6.1.1/src/wp-includes/default-filters.php?desc=1#L149.

Note: See TracTickets for help on using tickets.