[wp-trac] [WordPress Trac] #56128: Wrong escaping in 'class-wp-nav-menu-widget.php' file

WordPress Trac noreply at wordpress.org
Fri Jul 1 19:10:32 UTC 2022

#56128: Wrong escaping in 'class-wp-nav-menu-widget.php' file
 Reporter:  hztyfoon      |       Owner:  SergeyBiryukov
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  6.1
Component:  Widgets       |     Version:  4.3
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  administration, coding-standards
Changes (by SergeyBiryukov):

 * version:  trunk => 4.3
 * milestone:  Awaiting Review => 6.1


 Hi there, welcome to WordPress Trac! Thanks for the ticket.

 Introduced in [33488] / #32814 for WordPress 4.3, setting the version

 It looks like `esc_url()` cannot be used here, as the URL can be a
 `javascript:` link, see [source:tags/6.0/src/wp-includes/widgets/class-wp-
 nav-menu-widget.php?marks=169#L164 line 169] above. Using `esc_url()`
 would turn that into an empty string.

 That said, we should be able to add an inline comment to expain the
 `esc_attr()` usage.

Ticket URL: <https://core.trac.wordpress.org/ticket/56128#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list