Make WordPress Core

#59141 closed defect (bug) (fixed)

Escaping function is missing in $post_edit_link

Reported by: nidhidhandhukiya's profile nidhidhandhukiya Owned by: audrasjb's profile audrasjb
Milestone: 6.4 Priority: normal
Severity: normal Version: 6.3
Component: Revisions Keywords: has-patch commit
Focuses: Cc:


Escaping function missing which is use $post_edit_link function.

Attachments (3)

59141.patch (854 bytes) - added by nidhidhandhukiya 10 months ago.
59141.diff (1.2 KB) - added by rajinsharwar 10 months ago.
Maybe we can escape the _draft_or_post_title() as well.
59141.2.diff (811 bytes) - added by viralsampat 10 months ago.
I have checked above mentioned issue and I have added my updated patch.

Download all attachments as: .zip

Change History (12)

#1 @Presskopp
10 months ago

Hello @nidhidhandhukiya, it would be helpful if you could elaborate more what issue you are describing, what is missing and why and how it can be resolved. Thank you.

#2 @Presskopp
10 months ago

Ah, I was writing while you were posting so you have (partly) answered my question now. Sorry.

#3 @mukesh27
10 months ago

  • Component changed from Administration to Revisions
  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 6.4

Thanks @nidhidhandhukiya for ticket and patch.

@Presskopp It's better to escape the output of get_edit_post_link.

Patch works fine in my test. @costdev you could commit you first one 😉

10 months ago

Maybe we can escape the _draft_or_post_title() as well.

#4 @Presskopp
10 months ago

I think escaping is not needed here because get_edit_post_link() already returns safe links.

#5 @Presskopp
10 months ago

Also _draft_or_post_title is already escaping the return value: return esc_html( $title );

#6 @mukesh27
10 months ago

Agree with @Presskopp.

Version 0, edited 10 months ago by mukesh27 (next)

#7 @costdev
10 months ago

  • Keywords commit added

Thanks for the ping @mukesh27!

As noted above, _draft_or_post_title() is already escaped.

However, get_edit_post_link() is not escaped, and also returns the result of the get_edit_post_link filter. There may have been some confusion with edit_post_link(), which does escape the link before output.

59141.patch looks good to me, thanks @nidhidhandhukiya! 🙂

I'm not fully onboarded as a committer yet, sorry Mukesh! 😅 Adding for final review and commit by another committer.

10 months ago

I have checked above mentioned issue and I have added my updated patch.

#8 @audrasjb
10 months ago

  • Owner set to audrasjb
  • Status changed from new to accepted

#9 @audrasjb
10 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 56437:

Revisions: Add missing escaping function for $post_edit_link in wp-admin/revision.php.

Props nidhidhandhukiya, Presskopp, mukesh27, rajinsharwar, costdev.
Fixes #59141.

Note: See TracTickets for help on using tickets.