Make WordPress Core

#60324 closed defect (bug) (fixed)

Add missing esc_html()

Reported by: nareshbheda's profile nareshbheda Owned by: audrasjb's profile audrasjb
Milestone: 6.5 Priority: normal
Severity: normal Version:
Component: Customize Keywords: has-patch commit
Focuses: coding-standards Cc:

Description

Add missing escaping in wp-includes/class-wp-customize-control.php.

Attachments (2)

60324.patch (786 bytes) - added by nareshbheda 13 months ago.
60324.2.patch (1.6 KB) - added by shailu25 13 months ago.
Updated Patch.

Download all attachments as: .zip

Change History (10)

@nareshbheda
13 months ago

#1 @sabernhardt
13 months ago

  • Focuses docs removed

#2 @audrasjb
13 months ago

  • Owner set to audrasjb
  • Status changed from new to reviewing

#3 @shailu25
13 months ago

There is another instance of this on Line 80 in wp-includes/customize/class-wp-customize-nav-menu-location-control.php

echo '<option value="' . esc_attr( $value ) . '"' . selected( $this->value(), $value, false ) . '>' . $label . '</option>';

It should be

echo '<option value="' . esc_attr( $value ) . '"' . selected( $this->value(), $value, false ) . '>' . esc_html( $label ) . '</option>';

#4 @SergeyBiryukov
13 months ago

  • Milestone changed from Awaiting Review to 6.5

#5 @sabernhardt
13 months ago

Good catches!

  • [20295] added WP_Customize_Control without escaping $label for the option element, though the changeset escaped the text used for the input labels.
  • [32806] added WP_Customize_Nav_Menu_Location_Control.

I also found similar <option elements for bulk actions in WP_List_Table, but should this ticket remain focused on the Customizer classes instead of searching wp-admin too?

#6 @audrasjb
13 months ago

  • Keywords changes-requested added

Given similar instances are escaped, these one should be escaped too, at least for better consistency.

Adding changes-requested to take into account comment:3.

I also found similar <option elements for bulk actions in WP_List_Table, but should this ticket remain focused on the Customizer classes instead of searching wp-admin too?

Yeah I think that's another ticket :)

#7 @audrasjb
13 months ago

  • Keywords commit added; changes-requested removed
  • Status changed from reviewing to accepted

Alright let's commit this (I'll make the change to the other file directly).

#8 @audrasjb
13 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 57369:

Coding Standards: Add missing escaping functions to WP_Customize_Control and WP_Customize_Nav_Menu_Location_Control.

Follow-up to [20295], [32806].

Props nareshbheda, shailu25, sabernhardt, audrasjb.
Fixes #60324.

@shailu25
13 months ago

Updated Patch.

Note: See TracTickets for help on using tickets.