[wp-trac] [WordPress Trac] #43723: Sanitize user_contactmethods output
WordPress Trac
noreply at wordpress.org
Tue Apr 10 20:04:38 UTC 2018
#43723: Sanitize user_contactmethods output
------------------------------------------------+--------------------------
Reporter: BjornW | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
Component: Administration | Review
Severity: normal | Version: trunk
Keywords: has-patch 2nd-opinion dev-feedback | Resolution:
| Focuses:
| administration
------------------------------------------------+--------------------------
Comment (by BjornW):
Replying to [comment:4 joyously]:
> At least for the class name, not all values that are valid for an
attribute are valid for a class name.
> And it looks like the filter name has the unmodified $name variable in
it?
Is there an escape function which only allows that what is allowed for a
class name? If not, my guess is the esc_attr() is the best we have for
now.
And yes, the filter name currently has the unmodified $name in it, which
should be probably be escaped as well, but might have unwanted side-
effects so my current patch does not touch this (yet).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43723#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list