WordPress.org
Get WordPress

Make WordPress Core

Opened 6 months ago

Closed 6 months ago

Last modified 6 months ago

#62409 closed defect (bug) (duplicate)

WordPress 6.7 Missing Escaping functionality for theme.php Some Variable

Reported by: patelketan's profile patelketan Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.8
Component: General Keywords: has-patch
Focuses: administration, coding-standards Cc:

Description

WordPress Version 6.7 missing Escaping functionality theme.php file... missing Escaping functionality is $themeactions?activate? and $themeactions?customize?.

File Location:- .../wp-admin/themes.php file line number 610, 617, 624...

I have shared the below screenshot...

Change History (5)

This ticket was mentioned in PR #7790 on WordPress/wordpress-develop by @abcd95.
6 months ago #1

  • Keywords has-patch added

Trac ticket: Core - 62409

This PR adds proper escaping for theme names, URLs, and attributes in the themes.php file to prevent potential vulnerabilities.

### Changes Made:

  • Added esc_html() escaping for theme name outputs
  • Added esc_url() escaping for theme action URLs:
    • Customize action URLs
    • Activate action URLs

@desrosj commented on PR #7790:
6 months ago #2

Hi @himanshupathak95,

Did you mean to close this out?

@abcd95 commented on PR #7790:
6 months ago #3

Hey @desrosj, Thanks for asking!

I did mean to close this. The moment is created this PR, another PR for the same issue was created and merged ( since the issue addressed security concerns ). Then since the issue was solved, I had to close the PR.

#4 @desrosj
6 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version changed from 6.7 to 3.8

Duplicate of #62405.

@desrosj commented on PR #7790:
6 months ago #5

Ah ha! Thanks, I see that duplicate ticket now. Appreciate the attempt to fix this.

Note: See TracTickets for help on using tickets.