[wp-trac] [WordPress Trac] #22690: Twenty Twelve: twentytwelve_content_nav $nav_id is not validated.

WordPress Trac noreply at wordpress.org
Mon Dec 3 19:49:01 UTC 2012

#22690: Twenty Twelve: twentytwelve_content_nav $nav_id is not validated.
 Reporter:  ounziw         |       Owner:
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  3.5
Component:  Bundled Theme  |     Version:
 Severity:  minor          |  Resolution:
 Keywords:  has-patch      |

Comment (by nacin):

 Looks like the only difference between sanitize_html_class() and
 sanitize_key() is that the former A) allows for a fallback value, B) has a
 filter, C) strips octets. They use the same sanitization.

 It's possible that in the future, sanitize_html_class() is expanded to all
 characters possible in a class, which is slightly different than what is
 allowed in an ID.

 sanitize_key() seems fine here. But, either functioncould break a
 hypothetically valid ID already in use. "nav below" is not a valid ID.
 Perhaps we rename the argument from $nav_id to $html_id and then just drop
 esc_attr() in. There is only so much we should do to prevent someone from
 shooting themselves in the foot. Eventually they're just going to do it.

Ticket URL: <http://core.trac.wordpress.org/ticket/22690#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list