[wp-trac] [WordPress Trac] #58336: Potential XSS on admin_body_class hook
WordPress Trac
noreply at wordpress.org
Wed May 17 09:19:30 UTC 2023
#58336: Potential XSS on admin_body_class hook
------------------------------------------+---------------------
Reporter: rafiem | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.3
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch needs-unit-tests | Focuses:
------------------------------------------+---------------------
Comment (by SergeyBiryukov):
Replying to [comment:3 audrasjb]:
> The easier way to handle this would probably to sanitize
`$admin_body_classes` late, when displaying the classes:
>
> {{{#!php
> $admin_body_classes = apply_filters( 'admin_body_class', '' );
> $admin_body_classes = ltrim( $admin_body_classes . ' ' .
$admin_body_class );
> ?>
> <body class="wp-admin wp-core-ui no-js <?php echo sanitize_html_class(
$admin_body_classes ); ?>">
> }}}
Would `esc_attr()` be more appropriate here? I think that's what we
generally use for escaping in cases like this.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58336#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list