[wp-trac] [WordPress Trac] #44115: Add `esc_html` to get_comment_link
WordPress Trac
noreply at wordpress.org
Mon May 21 12:39:56 UTC 2018
#44115: Add `esc_html` to get_comment_link
--------------------------+-----------------------------
Reporter: 1naveengiri | Owner: iandunn
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 4.9.7
Component: Comments | Version:
Severity: normal | Resolution: fixed
Keywords: fixed-major | Focuses: administration
--------------------------+-----------------------------
Changes (by SergeyBiryukov):
* status: reopened => closed
* resolution: => fixed
Comment:
In [changeset:"43301" 43301]:
{{{
#!CommitTicketReference repository="" revision="43301"
Comments: Escape permalink values on edit screen to prevent XSS.
There doesn't appear to be any way for an attacker to introduce malicious
input into the URL, unless a plugin is filtering the URL to add it, but
it's better to be safe than sorry.
Props 1naveengiri, joyously.
Merges [43290] to the 4.9 branch.
Fixes #44115.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44115#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list