[wp-trac] [WordPress Trac] #53349: Added esc_attr in Edit Comment Form Field
WordPress Trac
noreply at wordpress.org
Mon Jun 7 18:37:20 UTC 2021
#53349: Added esc_attr in Edit Comment Form Field
--------------------------+-----------------------------------------------
Reporter: utsav72640 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.8
Component: Comments | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: administration, coding-standards
--------------------------+-----------------------------------------------
Changes (by SergeyBiryukov):
* focuses: coding-standards => administration, coding-standards
* component: General => Comments
* milestone: Awaiting Review => 5.8
Comment:
Hi there, thanks for the patch!
It looks like `esc_attr()` here was previously removed in [11721].
Technically, it would be redundant, as the `comment_author`,
`comment_author_email`, and `comment_author_url` fields are all escaped
with `esc_textarea()` via `format_to_edit()` called from
`get_comment_to_edit()`, before the [source:tags/5.7.2/src/wp-
admin/comment.php?marks=89-91#L88 edit-form-comment.php file is loaded].
That said, since `comment_author` and `comment_author_url` are also
escaped with `esc_attr()` in the same form, I don't see any harm in doing
that for `comment_author_email` too, for consistency and to avoid any
future confusion.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53349#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list