[wp-trac] [WordPress Trac] #54255: Use esc_html() to escaping variable in about page

WordPress Trac noreply at wordpress.org
Fri Oct 15 15:52:49 UTC 2021


#54255: Use esc_html() to escaping variable in about page
--------------------------+-------------------------------
 Reporter:  sayedulsayem  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Help/About    |     Version:
 Severity:  normal        |  Resolution:  wontfix
 Keywords:  has-patch     |     Focuses:  coding-standards
--------------------------+-------------------------------
Changes (by desrosj):

 * keywords:  has-patch commit => has-patch
 * status:  new => closed
 * resolution:   => wontfix
 * milestone:  5.9 =>


Comment:

 Thanks everyone for taking a look at this!

 I've done some looking back at past versions to see if `$display_version`
 has been escaped in the past, and it looks like it never was.

 Looking into why, my assumption is most likely that `$wp_version` can
 generally be considered trusted. `get_bloginfo( 'version' )` returns the
 value stored in the `$wp_version` global variable. Though there are
 filters in `get_bloginfo()`, the value is not passed through either of
 them because the default context is `raw`, not `display`.

 I'm going to close this out as `wontfix` following precedent.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54255#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list