WordPress.org
Get WordPress

Make WordPress Core

Opened 12 months ago

Last modified 6 weeks ago

#63071 new defect (bug)

Getting All output should be run through an escaping function error into the WordPress core files.

Reported by: viralsampat's profile viralsampat Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords: dev-feedback changes-requested
Focuses: coding-standards Cc:

Description

Hello Team,

I have checked wp-admin WordPress core files and I have found this "All output should be run through an escaping function" error for few files.

Here, I have listed files:

/wp-admin/includes/class-wp-privacy-policy-content.php
/wp-admin/includes/class-wp-theme-install-list-table.php
/wp-admin/includes/dashboard.php
/wp-admin/includes/class-custom-background.php
/wp-admin/includes/class-wp-screen.php

I have tested this into the WordPress 6.8-beta1.

Thanks,

Attachments (2)

63071.patch (12.3 KB) - added by viralsampat 12 months ago.
I have added patch.
63071.2.patch (1.2 KB) - added by viralsampat 12 months ago.
I have added another patch

Download all attachments as: .zip

Change History (5)

@viralsampat
12 months ago

I have added patch.

#1 follow-up: @audrasjb
12 months ago

  • Keywords changes-requested added
  • Version trunk deleted

@viralsampat thanks for the patch, however I found at least one occurrence that will break the content displayed by the variable: <?php echo esc_html( $help_sidebar ); ?>

$help_sidebar can contain HTML content as mentioned in the related Docblock- see function set_help_sidebar(): @param string $content Sidebar content in plain text or HTML.

The other occurrences in your patch need to be checked as well.

@viralsampat
12 months ago

I have added another patch

#2 in reply to: ↑ 1 @viralsampat
12 months ago

Hello @audrasjb

Thank you so much for your feedback.

I have tested my patch and updated it. Now, I have added another patch.

https://core.trac.wordpress.org/attachment/ticket/63071/63071.2.patch

Thanks,

#3 @sajib1223
6 weeks ago

  • Keywords needs-testing removed

Patch Testing Report

Patch tested: https://core.trac.wordpress.org/attachment/ticket/63071/63071.2.patch

Environment

  • WordPress: 7.0-alpha-61215-src
  • PHP: 8.2.29
  • Server: nginx/1.27.5
  • Database: mysqli (Server: 8.4.7 / Client: mysqlnd 8.2.29)
  • Browser: Firefox 147.0
  • OS: Windows 10/11
  • Theme: Twenty Twenty-Five 1.4
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.1
    • Test Ticket 63071: 1.0.0

Steps taken

  1. Applied patch.
  2. Created & activated a plugin with following code. 
    <?php
/*
Plugin Name: Test Ticket 63071
Version: 1.0.0
*/

if ( ! defined( 'ABSPATH' ) ) {
        die();
}

add_action( 'admin_head', function() {
    $screen = get_current_screen();

    if ( $screen->id ) {
                $existing_sidebar = $screen->get_help_sidebar();
        $screen->set_help_sidebar(
            '<style>p > strong { color: red; }</style>' . $existing_sidebar
        );
    }
});
  1. Visit "All Posts" or "All Pages" page in WP Admin.
  2. ✅ Patch escapes not allowed HTML tags, ie: style here.

Expected result

  • WP Admin help screen sidebar should escape content unsupported HTML.

Screenshots with results

Before applying patch:

https://files.catbox.moe/2kksp0.png

After applying patch:

https://files.catbox.moe/mp7sox.png

Last edited 6 weeks ago by sajib1223 (previous) (diff)
Note: See TracTickets for help on using tickets.