[wp-trac] [WordPress Trac] #22326: Inconsistent escaping in admin_color_scheme_picker()
WordPress Trac
noreply at wordpress.org
Tue Oct 30 22:44:00 UTC 2012
#22326: Inconsistent escaping in admin_color_scheme_picker()
-----------------------------+----------------------------
Reporter: johnjamesjacoby | Type: defect (bug)
Status: new | Priority: normal
Milestone: Awaiting Review | Component: Administration
Version: | Severity: normal
Keywords: |
-----------------------------+----------------------------
'''Problem'''
The output from admin_color_scheme_picker() inconsistently escapes
variables created while looping through the $_wp_admin_css_colors global.
----
'''More Info'''
Unescaped variables:
* $color (in some places)
* $color_info->name
* $html_color
Escaped variable:
* $color (in one place)
----
'''Solutions'''
* Escape everything. This makes the most sense to me; we shouldn't expect
anyone that's using wp_admin_css_color() to pass already escaped output.
Note that core does not escape it's own usage here.
* Escape nothing, and expect escaped input. This is consistent with the
rest of the function, but lame and complicated.
----
'''Patch Attached'''
Attached patch escapes all variable screen output.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/22326>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list