Make WordPress Core

Opened 10 months ago

Last modified 5 months ago

#58900 new defect (bug)

Escaping: Output String did not run through a proper escaping function

Reported by: armondal's profile armondal Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.4
Component: Security Keywords: has-patch close
Focuses: coding-standards Cc:


In class-wp-customize-control.php on line 642 'New page title' did not run through any escaping function. I think esc_html_e() should be applied.

Change History (2)

This ticket was mentioned in PR #4898 on WordPress/wordpress-develop by @armondal.

10 months ago

  • Keywords has-patch added

Applying proper escaping function to the output strings

Trac ticket:

#2 @SergeyBiryukov
5 months ago

  • Keywords close added

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

Core translations are considered safe because we have a review process for them, see #42639 and the discussion in #30724. (Also related: #32233, #44637.)

In WordPress core and older bundled themes, strings are generally only escaped in attributes or in <option> tags.

Note: See TracTickets for help on using tickets.