[wp-trac] [WordPress Trac] #24907: Escape admin_url() when used for ajax_url in admin header
WordPress Trac
noreply at wordpress.org
Sat Oct 5 18:48:05 UTC 2013
#24907: Escape admin_url() when used for ajax_url in admin header
--------------------------+------------------------------
Reporter: jeremyfelt | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 2.7
Severity: normal | Resolution:
Keywords: has-patch |
--------------------------+------------------------------
Comment (by azaozz):
`esc_js()` would work but is intended for escaping of
[http://core.trac.wordpress.org/browser/trunk/src/wp-
includes/formatting.php#L2689 inline JS]. The
[http://core.trac.wordpress.org/browser/trunk/src/wp-
includes/formatting.php#L2703 _wp_specialchars()] used there could break
it. Don't think we have a suitable `esc_*` function when we echo arbitrary
PHP strings inside a <script> tag.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24907#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list