[wp-trac] [WordPress Trac] #22690: Twenty Twelve: twentytwelve_content_nav $nav_id is not validated.
WordPress Trac
noreply at wordpress.org
Mon Dec 3 19:49:01 UTC 2012
#22690: Twenty Twelve: twentytwelve_content_nav $nav_id is not validated.
---------------------------+------------------
Reporter: ounziw | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.5
Component: Bundled Theme | Version:
Severity: minor | Resolution:
Keywords: has-patch |
---------------------------+------------------
Comment (by nacin):
Looks like the only difference between sanitize_html_class() and
sanitize_key() is that the former A) allows for a fallback value, B) has a
filter, C) strips octets. They use the same sanitization.
It's possible that in the future, sanitize_html_class() is expanded to all
characters possible in a class, which is slightly different than what is
allowed in an ID.
sanitize_key() seems fine here. But, either functioncould break a
hypothetically valid ID already in use. "nav below" is not a valid ID.
Perhaps we rename the argument from $nav_id to $html_id and then just drop
esc_attr() in. There is only so much we should do to prevent someone from
shooting themselves in the foot. Eventually they're just going to do it.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/22690#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list