[wp-trac] [WordPress Trac] #39865: Escaping functions have filters that allow them to be bypassed
WordPress Trac
noreply at wordpress.org
Mon Feb 13 20:17:39 UTC 2017
#39865: Escaping functions have filters that allow them to be bypassed
--------------------------+-----------------------------
Reporter: welcher | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
The `esc_*` family of function all contain filters that pass the unescaped
content as the second parameter. This seems to defeat the purpose of the
functions as all it would take would be to add a filter similar to the
following to completely bypass the escaping features.
{{{
add_filter( 'esc_html', 'bypass_escaping', 10, 2 );
function bypass_escaping( $safe_text, $text ) {
return $text;
}
// Call this in any template
echo esc_html( '<script>alert(\'Haxxed\')</script>' );
}}}
My suggestion would be to deprecate the second parameter and if needed add
a filter to for just the `$text` is that is called before the escaping in
the internals of the functions.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39865>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list