Opened 5 months ago
Last modified 5 months ago
#63675 new defect (bug)
Sanitize request values and improve translatable strings in edit-comments.php
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | minor | Version: | |
| Component: | Comments | Keywords: | 2nd-opinion close |
| Focuses: | administration | Cc: |
Description (last modified by )
This patch addresses a small security and translation-related improvement in the wp-admin/edit-comments.php file:
- Sanitization of Request Inputs
Currently, $_REQUEST['comment_status'] and $_REQUEST['pagegen_timestamp'] are used directly after wp_unslash():
$comment_status = wp_unslash( $_REQUEST['comment_status'] ); $delete_time = wp_unslash( $_REQUEST['pagegen_timestamp'] );
- Translatable String Formatting
$messages[] = __( 'This comment is already approved.' ) . sprintf(
' <a href="%1$s">%2$s</a>',
esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ),
__( 'Edit comment' )
);
is refactored into a single sprintf()-wrapped translatable string:
$messages[] = sprintf(
__( 'This comment is already approved. <a href="%s">Edit comment</a>' ),
esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) )
);
Attachments (1)
Change History (4)
#1
@
5 months ago
- Description modified (diff)
- Focuses accessibility coding-standards php-compatibility removed
- Keywords needs-testing removed
#2
@
5 months ago
- Keywords 2nd-opinion added; has-patch removed
- Version 6.8 deleted
The $comment_status and $delete_time variables run through $wpdb->prepare(), which returns a sanitized query string.
Regarding the translatable strings, I do not recommend refactoring them to add HTML markup and a %s placeholder for a link intended to remain at the end of the message. The three messages from [13247] have a consistent pattern, and they are already translated in more than 120 language locales.
Missing text domain in query-large-title-posts.php block pattern