#57336 closed defect (bug) (fixed)
Escape missing URLs and HTML element content in wp-activate.php
Reported by: | rafiq91 | Owned by: | rajinsharwar |
---|---|---|---|
Milestone: | 6.5 | Priority: | normal |
Severity: | major | Version: | |
Component: | Networks and Sites | Keywords: | has-patch has-testing-info needs-testing |
Focuses: | multisite | Cc: |
Description (last modified by )
In the wp-activate.php file,
- We have some unescaped instances of the "network_site_url()" function.
- We have some unescaped URLs being used.
- We have some unescaped HTML element content.
This ticket escapes the missing unescaped instances.
Change History (18)
This ticket was mentioned in PR #3771 on WordPress/wordpress-develop by vairafiq.
22 months ago
#1
#2
@
14 months ago
- Keywords needs-dev-note added
Following on the feedback of the comment here: https://github.com/WordPress/wordpress-develop/pull/3771#discussion_r1050136612
Is it good to be closed @costdev?
#3
@
14 months ago
- Keywords 2nd-opinion added; needs-dev-note removed
Hi @rajinsharwar, thanks for the ping! I believe this should remain open as the PR covers some instances in this file, but not all. I'd also like to check out some of the history in this file and see why escaping isn't there already, as there may be valid reasons/decisions made about this.
#4
@
14 months ago
- Milestone changed from Awaiting Review to 6.4
- Owner changed from rafiq91 to rajinsharwar
Hi @costdev, I have checked the historical data of those lines but didn't find any strong reason for not escaping. Here are the references:
https://core.trac.wordpress.org/changeset/44021#file0
https://core.trac.wordpress.org/changeset/12605/trunk/wp-activate.php
https://core.trac.wordpress.org/ticket/11644
Taking ownership of the ticket, and placing this for 6.4
This ticket was mentioned in PR #5046 on WordPress/wordpress-develop by @rajinsharwar.
14 months ago
#5
Escaping the URLs in the network_site_url function in the file of wp-activate.php
Trac ticket: https://core.trac.wordpress.org/ticket/57336
#6
@
14 months ago
- Component changed from Login and Registration to Networks and Sites
- Focuses multisite added; privacy removed
- Keywords 2nd-opinion removed
Thanks @rajinsharwar!
Indeed, escaping was intended - see the second item in this comment - but looks like it wasn't added.
Most other uses of network_site_url()
are escaped in Core, and I don't see why these cases would be an exception.
I've left a comment on PR 5046 about some additional URL escaping needed, and whether we should expand the scope of this ticket and PR to handle other escaping in this file.
- Updating the component to
Networks and Sites
and addingmultisite
focus, as this file is specifically for Multisite. - Removing
privacy
as the proposed change does not affect privacy.
#7
@
14 months ago
Great thanks @costdev. Suggestion: Should we modify this ticket's title and description to include all escaping changes to this file? I guess that will be better for tracking purposes instead of splitting the task. What do you think?
#8
@
14 months ago
@rajinsharwar I agree that one ticket makes sense for these changes, and the ticket title/description can be updated. Separate commits can be made if that's preferred by the final committer.
#10
@
13 months ago
I cannot find any possible side effects from this, but I didn't find anything for wp-login.php, and screenshot are not available, so, it isn't clear what should be escaped. In this file, there are a lot of calls for URLs to look through 😅
#11
@
12 months ago
- Keywords needs-testing-info added
@rajinsharwar could you update the ticket title/description and add testing info to cover all of the changes in your PR?
This ticket was mentioned in Slack in #core by oglekler. View the logs.
12 months ago
#13
@
12 months ago
- Description modified (diff)
- Keywords has-testing-info added; needs-testing needs-testing-info removed
- Summary changed from Sanitize url and title missing to Escape missing URLs and HTML element content in wp-activate.php
Hi @nicolefurlan @oglekler, updated the title and description for the ticket. :)
Let me know if I missed anything.
#14
@
12 months ago
- Milestone changed from 6.4 to 6.5
We are out of time before RC1, so, I am moving this ticket to the next milestone. Let's not procrastinate until the 6.5 RC1 and make it in the beginning of the alpha )
This ticket was mentioned in Slack in #core by rajinsharwar. View the logs.
8 months ago
#16
@
8 months ago
- Keywords needs-testing added
We likely need some test reports on this if this introduces any issues. Adding "needs-testing"
@SergeyBiryukov commented on PR #5046:
8 months ago
#18
Thanks for the PR! This was merged in r57625.
Trac ticket: https://core.trac.wordpress.org/ticket/57336