Opened 5 months ago
Last modified 4 months ago
#61125 reviewing enhancement
Many strings or URLs lack proper escaping.
Reported by: | yagniksangani | Owned by: | audrasjb |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | minor | Version: | |
Component: | General | Keywords: | has-patch changes-requested |
Focuses: | coding-standards | Cc: |
Description
Upon reviewing various strings and URLs within the WordPress core codebase, it has been noted that many instances lack proper escaping.
This absence of escaping poses a security risk, as it can potentially lead to vulnerabilities such as cross-site scripting (XSS) attacks. Unescaped output allows malicious users to inject scripts into web pages viewed by other users.
For example, you can see it here, \wp-activate.php
Attachments (1)
Change History (3)
#1
@
4 months ago
- Keywords changes-requested added
- Owner set to audrasjb
- Severity changed from major to minor
- Status changed from new to reviewing
Hello and thanks for the ticket and patch,
However, esc_html_e
is a internationalization function and should not be used here as this function is only meant for translatable text.
Note: See
TracTickets for help on using
tickets.
Added escaping for some Strings and URLs