#59257 closed defect (bug) (duplicate)
Missing escaping function for H1 in wp-login.php
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 6.3.1 |
| Component: | Login and Registration | Keywords: | has-patch |
| Focuses: | coding-standards | Cc: |
Description
In wp-login.php file, there is missing escaping function for login header text -
<h1><a href="<?php echo esc_url( $login_header_url ); ?>"><?php echo $login_header_text; ?></a></h1>
This $login_header_text has below filter to modify the text, which may cause unexpected security issue.
<?php /** * Filters the link text of the header logo above the login form. * * @since 5.2.0 * * @param string $login_header_text The login header logo link text. */ $login_header_text = apply_filters( 'login_headertext', $login_header_text );
Attachments (1)
Change History (3)
#1
@
17 months ago
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
This ticket was mentioned in PR #5125 on WordPress/wordpress-develop by @khokansardar.
17 months ago
#2
- Keywords has-patch added
Escaping function added for h1 login text in wp-login.php file
Trac ticket: https://core.trac.wordpress.org/ticket/59257
Note: See
TracTickets for help on using
tickets.
Duplicate of #58305.
This is by design.