[wp-trac] [WordPress Trac] #58305: Login page title text is filterable but not escaped (was: This Dynamic Value is From the "apply_filters()" Function not Escaped While Echoing.)
WordPress Trac
noreply at wordpress.org
Sun May 14 06:39:59 UTC 2023
#58305: Login page title text is filterable but not escaped
------------------------------------+-------------------------------
Reporter: mahamudur78 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.3
Component: Login and Registration | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: coding-standards
------------------------------------+-------------------------------
Changes (by sabernhardt):
* milestone: Awaiting Review => 6.3
Old description:
> I have identified an issue with echoing a dynamic value of an HTML
> element in the [https://github.com/WordPress/wordpress-
> develop/blob/trunk/src/wp-login.php#L209 /wp-login.php] file while
> reviewing its code. The problem is located on line 209 of the file.
>
> I believe there is a potential security risk associated with this issue,
> as the dynamic value is being loaded from the "apply_filters()" function.
>
> To ensure the security and validity of the code, it is crucial to
> properly escape the dynamic value and prevent any potential security
> vulnerabilities. Therefore, it is important to address this issue by
> properly escaping the value on that line.
New description:
I have identified an issue with echoing a dynamic value of an HTML element
in the [https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-
login.php#L209 /wp-login.php] file while reviewing its code. The problem
is located on line 209 of the file.
I believe there is a potential security risk associated with this issue,
as the dynamic value is being loaded from the `apply_filters()` function.
To ensure the security and validity of the code, it is crucial to properly
escape the dynamic value and prevent any potential security
vulnerabilities. Therefore, it is important to address this issue by
properly escaping the value on that line.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58305#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list