[wp-trac] [WordPress Trac] #20009: Escape later when getting post and body classes
WordPress Trac
noreply at wordpress.org
Sun Aug 11 19:49:45 UTC 2013
#20009: Escape later when getting post and body classes
------------------------------------+------------------
Reporter: mfields | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.7
Component: Themes | Version:
Severity: normal | Resolution:
Keywords: has-patch dev-feedback |
------------------------------------+------------------
Changes (by obenland):
* milestone: Awaiting Review => 3.7
Comment:
Replying to [comment:5 azaozz]:
> What exactly are we escaping here? Values added by plugins? Don't think
escaping is really needed on class names added from trusted source, keep
in mind that the HTML class attribute allows the whole UTF-8 charset to be
used with very little restrictions.
Pre-patch, escaping happened before plugins filtered the output. So
essentially class names added from a trusted source (core) are being
escaped, while the ones added through the filter are not.
mfields' patch swaps the order of function calls so that all class names
are being escaped.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20009#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list