[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Wed Feb 24 13:24:57 UTC 2021
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by juliobox):
Hey there
In https://core.trac.wordpress.org/attachment/ticket/39941/39941.diff we
have :
{{{
sprintf( ' %1$s="%1$s"', $attribute_name );
}}}
which is not fine because of a lack of esc_attr, good.
So this one patched it:
https://core.trac.wordpress.org/attachment/ticket/39941/39941.2.diff
{{{
sprintf( ' %1$s="%2$s"', $attribute_name, esc_attr( $attribute_name ) )
}}}
Good. Then in fact we wanted to secure the 2 things with escape.
So this patch was added:
https://core.trac.wordpress.org/attachment/ticket/39941/39941.6.diff
In that way:
{{{
sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr(
$attribute_name ) )
}}}
But we do not need the %2$s now.
This is the correct line:
{{{
sprintf( ' %1$s="%1$s"', esc_attr( $attribute_name ) )
}}}
Thanks :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:94>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list