Make WordPress Core

Opened 6 months ago

Closed 6 months ago

Last modified 6 months ago

#59257 closed defect (bug) (duplicate)

Missing escaping function for H1 in wp-login.php

Reported by: khokansardar's profile khokansardar Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.3.1
Component: Login and Registration Keywords: has-patch
Focuses: coding-standards Cc:

Description

In wp-login.php file, there is missing escaping function for login header text -

<h1><a href="<?php echo esc_url( $login_header_url ); ?>"><?php echo $login_header_text; ?></a></h1>

This $login_header_text has below filter to modify the text, which may cause unexpected security issue.

<?php
/**
         * Filters the link text of the header logo above the login form.
         *
         * @since 5.2.0
         *
         * @param string $login_header_text The login header logo link text.
         */
        $login_header_text = apply_filters( 'login_headertext', $login_header_text );

Attachments (1)

59257.diff (539 bytes) - added by khokansardar 6 months ago.
Patch added. Thanks.

Download all attachments as: .zip

Change History (3)

#1 @swissspidy
6 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #58305.

This is by design.

This ticket was mentioned in PR #5125 on WordPress/wordpress-develop by @khokansardar.


6 months ago
#2

  • Keywords has-patch added

Escaping function added for h1 login text in wp-login.php file

Trac ticket: https://core.trac.wordpress.org/ticket/59257

@khokansardar
6 months ago

Patch added. Thanks.

Note: See TracTickets for help on using tickets.