[wp-trac] [WordPress Trac] #58303: Escape $columns_css variable in dashboard widget
WordPress Trac
noreply at wordpress.org
Wed Jun 12 23:02:30 UTC 2024
#58303: Escape $columns_css variable in dashboard widget
-----------------------------------------+-------------------------------
Reporter: mahamudur78 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion close | Focuses: coding-standards
-----------------------------------------+-------------------------------
Changes (by coffee2code):
* keywords: has-patch 2nd-opinion => has-patch 2nd-opinion close
Comment:
Replying to [comment:3 SergeyBiryukov]:
> This is indeed similar to [54857] / #57133, but there is also an ongoing
discussion in comment:17:ticket:58251 on whether it is a good idea to
preventively add escaping in cases like this.
The discussion in #58251 culminated in the decision to **''NOT''** escape
an HTML attribute value when that value is guaranteed to be safe. In this
case, as Sergey explained, the attribute value is the concatenation of an
explicit string and the result of an `absint()` call. Hence the value is
safe and does not need unnecessary escaping.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58303#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list