[wp-trac] [WordPress Trac] #22326: Inconsistent escaping in admin_color_scheme_picker()

WordPress Trac noreply at wordpress.org
Tue Oct 30 22:44:00 UTC 2012


#22326: Inconsistent escaping in admin_color_scheme_picker()
-----------------------------+----------------------------
 Reporter:  johnjamesjacoby  |       Type:  defect (bug)
   Status:  new              |   Priority:  normal
Milestone:  Awaiting Review  |  Component:  Administration
  Version:                   |   Severity:  normal
 Keywords:                   |
-----------------------------+----------------------------
 '''Problem'''

 The output from admin_color_scheme_picker() inconsistently escapes
 variables created while looping through the $_wp_admin_css_colors global.

 ----

 '''More Info'''

 Unescaped variables:

 * $color (in some places)
 * $color_info->name
 * $html_color

 Escaped variable:
 * $color (in one place)

 ----

 '''Solutions'''

 * Escape everything. This makes the most sense to me; we shouldn't expect
 anyone that's using wp_admin_css_color() to pass already escaped output.
 Note that core does not escape it's own usage here.
 * Escape nothing, and expect escaped input. This is consistent with the
 rest of the function, but lame and complicated.

 ----

 '''Patch Attached'''

 Attached patch escapes all variable screen output.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/22326>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list