[wp-trac] [WordPress Trac] #54255: Use esc_html() to escaping variable in about page
WordPress Trac
noreply at wordpress.org
Fri Oct 15 15:52:49 UTC 2021
#54255: Use esc_html() to escaping variable in about page
--------------------------+-------------------------------
Reporter: sayedulsayem | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Help/About | Version:
Severity: normal | Resolution: wontfix
Keywords: has-patch | Focuses: coding-standards
--------------------------+-------------------------------
Changes (by desrosj):
* keywords: has-patch commit => has-patch
* status: new => closed
* resolution: => wontfix
* milestone: 5.9 =>
Comment:
Thanks everyone for taking a look at this!
I've done some looking back at past versions to see if `$display_version`
has been escaped in the past, and it looks like it never was.
Looking into why, my assumption is most likely that `$wp_version` can
generally be considered trusted. `get_bloginfo( 'version' )` returns the
value stored in the `$wp_version` global variable. Though there are
filters in `get_bloginfo()`, the value is not passed through either of
them because the default context is `raw`, not `display`.
I'm going to close this out as `wontfix` following precedent.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54255#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list