[wp-trac] [WordPress Trac] #58336: Potential XSS on admin_body_class hook
WordPress Trac
noreply at wordpress.org
Wed May 17 05:49:08 UTC 2023
#58336: Potential XSS on admin_body_class hook
------------------------------------------+---------------------
Reporter: rafiem | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.3
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch needs-unit-tests | Focuses:
------------------------------------------+---------------------
Changes (by audrasjb):
* keywords: => needs-patch needs-unit-tests
Comment:
The easier way to handle this would probably to sanitize
`$admin_body_classes` late, when displaying the classes:
{{{#!php
$admin_body_classes = apply_filters( 'admin_body_class', '' );
$admin_body_classes = ltrim( $admin_body_classes . ' ' . $admin_body_class
);
?>
<body class="wp-admin wp-core-ui no-js <?php echo sanitize_html_class(
$admin_body_classes ); ?>">
}}}
Maybe it would also be worth to put together some PHPUnit test cases for
this.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58336#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list