WordPress.org
Get WordPress

Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#65090 new defect (bug)

Missing escaping for dynamic link text

Reported by: maheshpatel's profile maheshpatel Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch 2nd-opinion
Focuses: coding-standards Cc:

Description (last modified by mukesh27)

File: [src/wp-login.php](src/wp-login.php#L234)

  • Line: 234
  • Problem: $message output without escaping (filterable content)
  • Current Code: 
    if ( ! empty( $message ) ) {
   echo $message . "\n";
}
  • Context: $message comes from apply_filters( 'login_message', $message ) but could contain HTML or special chars
  • Fix: Context-dependent, could be: 
    // If message is expected to have HTML:
if ( ! empty( $message ) ) {
   echo wp_kses_post( $message ) . "\n";
}
// Or if plain text:
if ( ! empty( $message ) ) {
   echo esc_html( $message ) . "\n";
}

Change History (5)

This ticket was mentioned in PR #11594 on WordPress/wordpress-develop by @maheshpatel.
4 weeks ago #1

File: [src/wp-login.php#L234 src/wp-login.php]

  • Line: 234
  • Problem: $message output without escaping (filterable content)
  • Current Code: 
    if ( ! empty( $message ) ) {
      echo $message . "\n";
  }
  • Context: $message comes from apply_filters( 'login_message', $message ) but could contain HTML or special chars
  • Fix: Context-dependent, could be: 
    // If message is expected to have HTML:
  if ( ! empty( $message ) ) {
      echo wp_kses_post( $message ) . "\n";
  }
  // Or if plain text:
  if ( ! empty( $message ) ) {
      echo esc_html( $message ) . "\n";
  }

#2 @maheshpatel
4 weeks ago

The issue has been addressed and a fix has been implemented.

A pull request has been submitted for review: https://github.com/WordPress/wordpress-develop/pull/11594

Kindly take a look and share your feedback. Happy to make any required changes.

#3 @mukesh27
4 weeks ago

  • Description modified (diff)
  • Version trunk deleted

#4 @johnbillion
4 weeks ago

  • Keywords 2nd-opinion added

@maheshpatel There are thousands of places in WordPress where escaping or KSES could be added. If the value comes from user generated data then escaping or KSES should be considered, but there are backwards compatibility, interoperability, and performance concerns with escaping or KSESing everything.

If we were writing WordPress from scratch today then we'd probably escape almost everything by default. But we're not.

Therefore these missing escaping tickets aren't particularly helpful and aren't the best use of everyone's time unless you can demonstrate a real problem that's caused by the lack of escaping, or you can demonstrate that the value comes from user generated data.

#5 @maheshpatel
4 weeks ago

@johnbillion Thanks for the clarification.

Understood — I’ll keep this in mind for future contributions and ensure that any reports include a clear demonstration of user-generated input and real impact.

If appropriate, please feel free to proceed with the ticket and consider it for inclusion in 7.1. I’m happy to continue contributing as an open-source developer, with the intention of strengthening the WordPress ecosystem through meaningful improvements, even if they are small.

Appreciate your guidance and support.

Note: See TracTickets for help on using tickets.