[wp-trac] [WordPress Trac] #44054: Privacy: Escape the comment link output in the wp_comments_personal_data_exporter() function.
WordPress Trac
noreply at wordpress.org
Sat May 12 10:05:37 UTC 2018
#44054: Privacy: Escape the comment link output in the
wp_comments_personal_data_exporter() function.
--------------------------+-----------------------------
Reporter: birgire | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords: gdpr
Focuses: |
--------------------------+-----------------------------
In the {{{wp_comments_personal_data_exporter()}}} function we have
([https://github.com/WordPress/WordPress/blob/3d4c461e504812689f97b7062f6da9d155448bc9
/wp-includes/comment.php#L3356 src]):
{{{
$value = get_comment_link( $comment->comment_ID );
$value = '<a href="' . $value . '" target="_blank" rel="noreferrer
noopener">' . $value . '</a>';
}}}
but it looks like the escaping is missing here.
Also the output of {{{get_comment_link()}}} is filterable and not escaped.
We could consider instead:
{{{
$value = get_comment_link( $comment->comment_ID );
$value = sprintf(
'<a href="%1$s" target="_blank" rel="noreferrer noopener">%2$s</a>',
esc_url( $value ),
esc_html( $value )
);
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44054>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list