[wp-trac] [WordPress Trac] #58305: Login page title text is filterable but not escaped (was: This Dynamic Value is From the "apply_filters()" Function not Escaped While Echoing.)

WordPress Trac noreply at wordpress.org
Sun May 14 06:39:59 UTC 2023


#58305: Login page title text is filterable but not escaped
------------------------------------+-------------------------------
 Reporter:  mahamudur78             |       Owner:  (none)
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  6.3
Component:  Login and Registration  |     Version:
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch               |     Focuses:  coding-standards
------------------------------------+-------------------------------
Changes (by sabernhardt):

 * milestone:  Awaiting Review => 6.3


Old description:

> I have identified an issue with echoing a dynamic value of an HTML
> element in the [https://github.com/WordPress/wordpress-
> develop/blob/trunk/src/wp-login.php#L209 /wp-login.php] file while
> reviewing its code. The problem is located on line 209 of the file.
>
> I believe there is a potential security risk associated with this issue,
> as the dynamic value is being loaded from the "apply_filters()" function.
>
> To ensure the security and validity of the code, it is crucial to
> properly escape the dynamic value and prevent any potential security
> vulnerabilities. Therefore, it is important to address this issue by
> properly escaping the value on that line.

New description:

 I have identified an issue with echoing a dynamic value of an HTML element
 in the [https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-
 login.php#L209 /wp-login.php] file while reviewing its code. The problem
 is located on line 209 of the file.

 I believe there is a potential security risk associated with this issue,
 as the dynamic value is being loaded from the `apply_filters()` function.

 To ensure the security and validity of the code, it is crucial to properly
 escape the dynamic value and prevent any potential security
 vulnerabilities. Therefore, it is important to address this issue by
 properly escaping the value on that line.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58305#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list