[wp-trac] [WordPress Trac] #43723: Sanitize user_contactmethods output

WordPress Trac noreply at wordpress.org
Mon Apr 9 14:12:17 UTC 2018


#43723: Sanitize user_contactmethods output
----------------------------+-----------------------------
 Reporter:  BjornW          |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:  trunk
 Severity:  normal          |   Keywords:
  Focuses:                  |
----------------------------+-----------------------------
 Data supplied in an array to the user-edit.php page via the filter
 'user_contactmethods' is not properly escaped when it is outputted.

 As you can see in [https://core.trac.wordpress.org/browser/trunk/src/wp-
 admin/user-edit.php#L527 user-edit.php] the values of the $name and $desc
 variables are directly echoed using echo.

 I'd expect it to use the WordPress Core
 [https://developer.wordpress.org/reference/functions/esc_attr/ esc_attr()]
 as the data is used part of an html tag's attribute and therefor should be
 limited to what is allowed inside an html attribute.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/43723>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list