#62951 closed defect (bug) (fixed)
Missing Escaping functionality for Some Variable
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 6.8 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Media | Keywords: | has-patch |
| Focuses: | coding-standards | Cc: |
Description
The image-edit.php file and $thumbURL? are missing escaping functionality.
File Location:- ...\wp-admin\includes\image-edit.php file line number 296.
I have shared the screenshot below...
Attachments (1)
Change History (6)
#1
@
6 weeks ago
- Focuses administration removed
- Keywords needs-patch added; has-patch removed
- Type changed from enhancement to defect (bug)
- Version 6.7.2 deleted
Hello and thanks for the ticket,
Yes, that's kinda minor but we could have an esc_url here, and esc_attr for the other sibling attributes.
This ticket was mentioned in PR #8305 on WordPress/wordpress-develop by @benazeer.
6 weeks ago
#2
- Keywords has-patch added; needs-patch removed
Trac ticket: [](https://core.trac.wordpress.org/ticket/62951)
@benazeer commented on PR #8305:
6 weeks ago
#3
Hi @sabernhardt , thanks for the review.
The $post_id variable must be an integer, which should not require any escaping. Both wp_ajax_image_editor() and edit_form_image_editor() cast their attachment IDs to (int) type.
Just confirming, So I can remove it from all places where using $post_id in this file.
Applying that changes in next commit.
Missing Escaping functionality for image-edit.php Some Variable