Opened 2 years ago
Closed 2 years ago
#57165 closed defect (bug) (invalid)
Add escaping in widget archives page
Reported by: | jaedm97 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Widgets | Keywords: | |
Focuses: | Cc: |
Description
In the widget class-wp-widget-archives.php
, there is a missing escaping of $title;
, Here is the code -
<label class="screen-reader-text" for="<?php echo esc_attr( $dropdown_id ); ?>"><?php echo $title; ?></label>
Attachments (1)
Change History (3)
#2
@
2 years ago
- Keywords has-patch removed
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
- Version trunk deleted
Hello there, $title
can contain HTML depending on whether the widget's before_title
/after_title
arguments are set.
The title as entered by the user is already escaped through the widget_title
filter and esc_html()
, see https://core.trac.wordpress.org/browser/tags/6.1.1/src/wp-includes/default-filters.php?desc=1#L149.
Note: See
TracTickets for help on using
tickets.
Created patch.