[wp-trac] [WordPress Trac] #46990: Properly escape output of the ms_user_list_site_class filter
WordPress Trac
noreply at wordpress.org
Fri Apr 19 11:28:02 UTC 2019
#46990: Properly escape output of the ms_user_list_site_class filter
--------------------------------+-----------------------------
Reporter: david.binda | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Networks and Sites | Version: trunk
Severity: normal | Keywords:
Focuses: multisite |
--------------------------------+-----------------------------
In r44977 a new filter was added, based on the proposal in #41146.
However, the output of the classes added via new filter is incorrect.
`sanitize_html_class` is being used for escaping an output, which has 2
flaws:
1) an escaping function should be used (eg.: `esc_attr`)
2) `sanitize_html_class` does not allow spaces on it's output ( only
`[A-Za-z0-9_-]` ), so the `implode( ' ' )` is being reverted and all new
classes added via filter are concatenated w/o space in between them.
To mitigate the issue, `esc_attr` should be used in
https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/class-
wp-ms-users-list-table.php?rev=44977#L355 instead of the
`sanitize_html_class`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46990>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list