[wp-trac] [WordPress Trac] #56655: add_menu_page - escaping $page_title, $menu_title
WordPress Trac
noreply at wordpress.org
Wed Nov 2 18:07:19 UTC 2022
#56655: add_menu_page - escaping $page_title, $menu_title
-------------------------------------------------+-------------------------
Reporter: soupia18 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.1.1
Component: Menus | Version:
Severity: normal | Resolution:
Keywords: has-screenshots has-patch 2nd- | Focuses:
opinion | administration
-------------------------------------------------+-------------------------
Changes (by azaozz):
* keywords: has-screenshots has-patch => has-screenshots has-patch 2nd-
opinion
Comment:
> I can confirm that this is an issue...
> ...
> Both menu and submenus titles are printed unescaped.
> ...
> I just noticed that the same issue exists also when we use
add_meta_boxes()
The question here is where these strings come from? Can they be entered by
(unidentified) users or are they coming from plugins?
As far as I see the reason for not escaping the menu titles is that a
plugin may want to add a bit of HTML to make a menu "bubble" with a count,
like for comments, available updates, etc. These strings are not different
than any other string outputted by a plugin, i.e. a plugin can add any
HTML and any JS to pretty much any place in wp-admin. Don't see why menu
titles should be restricted, doesn't seem to serve any purpose. :)
> It looks like wp_kses() might be needed there
Not sure that is a good idea. KSES is pretty slow and is intended only for
use when **user supplied content** is saved to the DB. All other uses of
it, especially on outputting/displaying content, make WP slow.
For example: if a plugin would allow a user to enter a menu title, it
should use KSES on saving the title entered by the user to make sue it is
safe. This is the same for any other user input.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56655#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list