Make WordPress Core

#58025 closed defect (bug) (fixed)

Wrong escaping function in get_cancel_comment_reply_link()

Reported by: chintan1896's profile chintan1896 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.3 Priority: normal
Severity: normal Version: 6.3
Component: Comments Keywords: has-patch
Focuses: Cc:


Wrong Escaping Function Was Used in /wp-includes/comment-template.php

Attachments (1)

58025.patch (820 bytes) - added by chintan1896 13 months ago.

Download all attachments as: .zip

Change History (5)

13 months ago

#1 @ankitmaru
13 months ago

Thanks @chintan1896 for the patch.

Patch looks good to me.

#2 @SergeyBiryukov
13 months ago

  • Component changed from General to Comments
  • Milestone changed from Awaiting Review to 6.3

Good catch! Some history here:

  • [9112] added wp_specialchars() to comment_reply_link() and cancel_comment_reply_link().
  • [9406] moved the code to get_comment_reply_link() and get_cancel_comment_reply_link().
  • [11011] replaced wp_specialchars() with clean_url(), but only in get_comment_reply_link().
  • [11380] updated the remaining wp_specialchars() to esc_html() in get_cancel_comment_reply_link().
  • [11383] updated clean_url() to esc_url() in get_comment_reply_link().

In short, esc_url() is indeed the correct function to use here, but it was missed in [11011], and subsequent renamings did not catch that.

#3 @SergeyBiryukov
13 months ago

  • Summary changed from Wrong Escaping Function Was Used to Wrong escaping function in get_cancel_comment_reply_link()

#4 @SergeyBiryukov
13 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 55614:

Comments: Use correct escaping function in get_cancel_comment_reply_link().

Follow-up to [9112], [9406], [11011], [11380], [11383], [44659].

Props chintan1896, ankitmaru.
Fixes #58025.

Note: See TracTickets for help on using tickets.