[wp-trac] [WordPress Trac] #58303: Escape $columns_css variable in dashboard widget
WordPress Trac
noreply at wordpress.org
Mon May 22 13:40:57 UTC 2023
#58303: Escape $columns_css variable in dashboard widget
-----------------------------------+-------------------------------
Reporter: mahamudur78 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses: coding-standards
-----------------------------------+-------------------------------
Comment (by SergeyBiryukov):
Replying to [comment:6 hbhalodia]:
> I have added another patch for this which uses the core
`sanitize_html_class `
https://developer.wordpress.org/reference/functions/sanitize_html_class/
function
Thanks for the PR! However, as noted above, the `$columns` variable goes
through `absint()` and is not user-editable, so it does not currently
require sanitization.
It is also worth noting that per the
[https://developer.wordpress.org/apis/security/#h-guiding-principles
security guiding principles], sanitizing should be done early and escaping
should be as late as possible, so for the output itself, `esc_attr()`
would be the correct function to use.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58303#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list