[wp-trac] [WordPress Trac] #55335: $user_login double escaped with incorrect/empty password in wp-login.php
WordPress Trac
noreply at wordpress.org
Tue Mar 8 03:56:54 UTC 2022
#55335: $user_login double escaped with incorrect/empty password in wp-login.php
------------------------------------+-----------------------------
Reporter: johnjamesjacoby | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version:
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
First:
{{{
if ( isset( $_POST['log'] ) ) {
$user_login = ( 'incorrect_password' ===
$errors->get_error_code() || 'empty_password' ===
$errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) :
'';
}
}}}
Then:
{{{
<input type="text" name="log" id="user_login"<?php echo
$aria_describedby_error; ?> class="input" value="<?php echo esc_attr(
$user_login ); ?>" size="20" autocapitalize="off" />
}}}
Fix is to late escape only, and remove the top one.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55335>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list