Make WordPress Core

Opened 7 weeks ago

Last modified 5 weeks ago

#61125 reviewing enhancement

Many strings or URLs lack proper escaping.

Reported by: yagniksangani's profile yagniksangani Owned by: audrasjb's profile audrasjb
Milestone: Awaiting Review Priority: normal
Severity: minor Version:
Component: General Keywords: has-patch changes-requested
Focuses: coding-standards Cc:


Upon reviewing various strings and URLs within the WordPress core codebase, it has been noted that many instances lack proper escaping.

This absence of escaping poses a security risk, as it can potentially lead to vulnerabilities such as cross-site scripting (XSS) attacks. Unescaped output allows malicious users to inject scripts into web pages viewed by other users.

For example, you can see it here, \wp-activate.php

Attachments (1)

some-feature.61125.diff (3.1 KB) - added by yagniksangani 7 weeks ago.
Added escaping for some Strings and URLs

Download all attachments as: .zip

Change History (3)

7 weeks ago

Added escaping for some Strings and URLs

#1 @audrasjb
5 weeks ago

  • Keywords changes-requested added
  • Owner set to audrasjb
  • Severity changed from major to minor
  • Status changed from new to reviewing

Hello and thanks for the ticket and patch,

However, esc_html_e is a internationalization function and should not be used here as this function is only meant for translatable text.

#2 @sabernhardt
5 weeks ago

#58305 already suggested escaping $login_header_text, but the decision there was to leave that variable unescaped.

Note: See TracTickets for help on using tickets.