Opened 8 weeks ago
Last modified 8 weeks ago
#62545 new defect (bug)
Adminbar title not escaped
Reported by: | kkmuffme | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | minor | Version: | |
Component: | Toolbar | Keywords: | close 2nd-opinion |
Focuses: | Cc: |
Description
class-wp-admin-bar.php
<?php echo ">{$arrow}{$node->title}";
The title isn't getting escaped, there should be an esc_html() there?
Attachments (2)
Change History (8)
This ticket was mentioned in PR #7876 on WordPress/wordpress-develop by lgadzhev.
8 weeks ago
#2
- Keywords has-patch added
@siliconforks commented on PR #7876:
8 weeks ago
#3
#4
@
8 weeks ago
- Component changed from Security to Toolbar
- Keywords close 2nd-opinion added; has-patch removed
It should not use esc_html()
because that would break almost all links with an icon or image, including links—and the search form—from Core.
I'll leave the ticket open in case there is a better way to sanitize the node titles (or to skip creating a node if it finds something that does not belong).
@
8 weeks ago
Patch to use wp_kses_post to escape the admin bar title instead of using esc_url or not escaping at all.
#5
@
8 weeks ago
@sabernhardt, If escaping is required in this context, we can utilize wp_kses_post()
. This function allows safe HTML to pass through while preventing potentially harmful elements, avoiding the side effects illustrated in the screenshot.
#6
@
8 weeks ago
The wp_kses_post()
function does not fit either. It would change &
to &
, but it would also break the search node (the screenshot shows the front end without a search icon). The default KSES post array does not allow form
or input
elements, and the filter could remove other elements that plugins rely on.
e.g.
The & will not be & but literal