[wp-trac] [WordPress Trac] #39865: Escaping functions have filters that allow them to be bypassed

WordPress Trac noreply at wordpress.org
Mon Feb 13 20:17:39 UTC 2017


#39865: Escaping functions have filters that allow them to be bypassed
--------------------------+-----------------------------
 Reporter:  welcher       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Formatting    |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The `esc_*` family of function all contain filters that pass the unescaped
 content as the second parameter. This seems to defeat the purpose of the
 functions as all it would take would be to add a filter similar to the
 following to completely bypass the escaping features.

 {{{
 add_filter( 'esc_html', 'bypass_escaping', 10, 2 );

 function bypass_escaping( $safe_text, $text ) {
      return $text;
 }

 // Call this in any template
 echo esc_html( '<script>alert(\'Haxxed\')</script>' );
 }}}

 My suggestion would be to deprecate the second parameter and if needed add
 a filter to for just the `$text` is that is called before the escaping in
 the internals of the functions.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39865>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list