[wp-trac] [WordPress Trac] #46990: Properly escape output of the ms_user_list_site_class filter

WordPress Trac noreply at wordpress.org
Fri Apr 19 11:28:02 UTC 2019

#46990: Properly escape output of the ms_user_list_site_class filter
 Reporter:  david.binda         |      Owner:  (none)
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Networks and Sites  |    Version:  trunk
 Severity:  normal              |   Keywords:
  Focuses:  multisite           |
 In r44977 a new filter was added, based on the proposal in #41146.
 However, the output of the classes added via new filter is incorrect.

 `sanitize_html_class` is being used for escaping an output, which has 2

 1) an escaping function should be used (eg.: `esc_attr`)
 2) `sanitize_html_class` does not allow spaces on it's output ( only
 `[A-Za-z0-9_-]` ), so the `implode( ' ' )` is being reverted and all new
 classes added via filter are concatenated w/o space in between them.

 To mitigate the issue, `esc_attr` should be used in
 wp-ms-users-list-table.php?rev=44977#L355 instead of the

Ticket URL: <https://core.trac.wordpress.org/ticket/46990>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list