[wp-trac] [WordPress Trac] #57541: Missing escaping in admin menu walker file
WordPress Trac
noreply at wordpress.org
Tue Jan 24 16:55:50 UTC 2023
#57541: Missing escaping in admin menu walker file
--------------------------+------------------------
Reporter: aniketpatel | Owner: audrasjb
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 6.2
Component: Menus | Version: 3.0
Severity: minor | Resolution:
Keywords: has-patch | Focuses:
--------------------------+------------------------
Comment (by costdev):
I agree @audrasjb. I've wondered a few times why we do this.
Here's what I can gather:
1. This variable is set to `admin_url(...)`, which has `apply_filters()`
as the final return value. Extenders ''could'' modify the URL with
something unsafe, but if they're filtering, then they already have access
to do a lot worse. Like cleaning out the fridge in case a burglar poisons
the food.
2. However, the description of `esc_url()` states:
**eliminates invalid characters** and removes dangerous characters
So, even though `esc_url()` is mainly used for security, this also helps
when extenders return a value that has invalid characters. I guess this is
one reason why the pattern exists elsewhere in Core.
3. We tell extenders to sanitize all URLs before output, so maybe this
pattern also exists to encourage this.
Given (2) and (3), it makes sense to continue this pattern.
The PR looks good to me. 👍
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57541#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list