[wp-trac] [WordPress Trac] #51611: Escape echoing Core functions
WordPress Trac
noreply at wordpress.org
Sat Oct 24 04:43:18 UTC 2020
#51611: Escape echoing Core functions
-------------------------+------------------------------
Reporter: lolamax | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by lolamax):
Some more testing results in the following:
1. the_archive_title() is not related as it does escape the output(not at
the final stage but within the call functions)!
2. Twenty Nineteen is a bad example, as it only uses the_archive_title()
in archive.php!
3. After testing the_archive_desription() in Twenty Seventeen with a XSS
string as author description, I can confirm that it does not escape the
output!
Although the input is properly sanitized and direct database access is
needed in order to actually exploit it, in my opinion it would be better
to escape it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51611#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list