Make WordPress Core

Opened 2 months ago

Closed 2 months ago

Last modified 2 months ago

#62118 closed enhancement (fixed)

Code Improvement Suggestion

Reported by: ramswarup's profile ramswarup Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.7 Priority: low
Severity: minor Version: 6.6.2
Component: Administration Keywords: close
Focuses: Cc:

Description (last modified by swissspidy)

Code Improvement Suggestion for admin footer \wp-admin\admin-footer.php line No. 35


$text = sprintf(
        /* translators: %s: https://wordpress.org/ */
        __( 'Thank you for creating with <a href="%s">WordPress</a>.' ),
        __( 'https://wordpress.org/' )
);

Should we use esc_url() here instead of __ (underscore) to ensure that the URL is valid and protected from cross-site scripting?

$text = sprintf(
        /* translators: %s: https://wordpress.org/ */
        __('Thank you for creating with <a href="%s">WordPress</a>.'),
        esc_url( 'https://wordpress.org/' )
);

Thanks!

Change History (8)

This ticket was mentioned in Slack in #core by ramswarup. View the logs.


2 months ago

#2 @swissspidy
2 months ago

  • Component changed from General to Administration
  • Description modified (diff)
  • Focuses coding-standards removed
  • Keywords needs-testing changes-requested removed
  • Priority changed from normal to low
  • Severity changed from normal to minor
  • Type changed from feature request to enhancement

Hi there and welcome to Trac!

instead of

Definitely not instead of. __() is important as it allows for the URL to be translated.

To be honest we're pretty inconsistent in core with escaping the URLs in cases like this. On one hand we do trust translations to be correct, on the other hand it can't hurt to add it.

This ticket was mentioned in PR #7442 on WordPress/wordpress-develop by @narenin.


2 months ago
#3

  • Keywords has-patch added

#4 @ramswarup
2 months ago

@swissspidy Thanks!

#5 @SergeyBiryukov
2 months ago

  • Milestone changed from Awaiting Review to 6.7
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

Hi there, thanks for the ticket!

It appears that we do escape WordPress.org URLs most of the time, so this brings some more consistency.

#6 @SergeyBiryukov
2 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 59096:

Administration: Escape the WordPress.org URL in wp-admin/admin-footer.php.

Follow-up to [5892], [5955], [10976], [17879], [21366], [27469], [45927].

Props ramswarup, narenin, swissspidy.
Fixes #62118.

@SergeyBiryukov commented on PR #7442:


2 months ago
#7

Thanks for the PR! Merged in r59096.

#8 @ramswarup
2 months ago

  • Keywords close added; has-patch removed
Note: See TracTickets for help on using tickets.