[wp-trac] [WordPress Trac] #53459: Escaping function missing.
WordPress Trac
noreply at wordpress.org
Sun Jun 20 18:19:26 UTC 2021
#53459: Escaping function missing.
----------------------------+-----------------------------
Reporter: chintan1896 | Owner: SergeyBiryukov
Type: enhancement | Status: reviewing
Priority: normal | Milestone: 5.8
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
----------------------------+-----------------------------
Changes (by SergeyBiryukov):
* keywords: has-patch needs-refresh => has-patch
* owner: (none) => SergeyBiryukov
* status: new => reviewing
* milestone: Awaiting Review => 5.8
Comment:
Replying to [comment:1 mukesh27]:
> Can you please search `network_admin_url` globally in the WordPress
directory and add the remaining file change?
>
> https://github.com/WordPress/WordPress/blob/master/wp-includes/admin-
bar.php#L1058
> https://github.com/WordPress/WordPress/blob/master/wp-includes/link-
template.php#L3738
It looks like those instances do not need escaping:
* Toolbar (admin bar) links are already escaped on output, see
[source:tags/5.7.2/src/wp-includes/class-wp-admin-bar.php?marks=541#L537
WP_Admin_Bar::_render_item()].
* `self_admin_url()` is used to retrieve the raw value, pretty much like
`network_admin_url()` itself. The value should be escaped on output
according to the context, and not in the function itself (see #13051 for a
previous discussion).
So the patch seems good as is :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53459#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list