[wp-trac] [WordPress Trac] #20476: Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent potential xss and potential broken code.
WordPress Trac
wp-trac at lists.automattic.com
Wed Apr 18 07:49:45 UTC 2012
#20476: Twenty Eleven: replace esc_attr( printf() ) with sprintf to prevent
potential xss and potential broken code.
---------------------------+------------------------------
Reporter: chellycat | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Bundled Theme | Version: 3.3
Severity: normal | Resolution:
Keywords: |
---------------------------+------------------------------
Comment (by SergeyBiryukov):
Not sure I understand the connection between the description and the
patch, since there's no `esc_attr()` call in that line.
Furthermore, `esc_attr( printf() )` doesn't seem to be used anywhere in
Twenty Eleven.
According to [comment:ticket:19712:5], translated strings like that should
only be escaped in attributes, which is not the case here.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20476#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list