[wp-trac] [WordPress Trac] #52894: The wp_sanitize_script_attributes function added in version 5.7 does not escape attributes in some cases.

WordPress Trac noreply at wordpress.org
Wed Mar 24 00:26:48 UTC 2021


#52894: The wp_sanitize_script_attributes function added in version 5.7 does not
escape attributes in some cases.
---------------------------+---------------------
 Reporter:  tmatsuur       |       Owner:  (none)
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  5.7.1
Component:  Script Loader  |     Version:  5.7
 Severity:  critical       |  Resolution:
 Keywords:  has-patch      |     Focuses:
---------------------------+---------------------

Comment (by joyously):

 This new function isn't sanitizing; it is only escaping. I think it's
 misnamed.
 When the example is output, it has the angle brackets changed to entities,
 but the quotes are still nested, so it's not good.
 If it were to sanitize, it would strip_tags and convert quotes.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52894#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list