[wp-trac] [WordPress Trac] #62885: Missing dot at the end of the description and improve function
WordPress Trac
noreply at wordpress.org
Thu Jan 30 10:52:46 UTC 2025
#62885: Missing dot at the end of the description and improve function
-------------------------+-------------------------------------
Reporter: kapasias | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses: docs, coding-standards
-------------------------+-------------------------------------
Changes (by kapasias):
* keywords: => has-patch
Comment:
Exmple
function custom_message_shortcode() {
$value1 = 'onmouseover=alert("XSS")';
$value2 = 'Text with Space';
$value3 = 'abc = xyz';
return '<div '.esc_html($value1).' '.esc_attr($value3).' class
="custom-message">'.esc_attr($value2).'</div>';
}
add_shortcode('custom_message', 'custom_message_shortcode');
This line of code uses preg_replace() to sanitize a string by removing
potentially unsafe event handler attributes (like onclick, onmouseover,
etc.) from HTML elements.
This is a security measure to prevent malicious JavaScript from being
executed via event handler attributes in user-supplied content. It helps
mitigate risks like Cross-Site Scripting (XSS).
Before Update Function : https://prnt.sc/4LfxABLmaM2o
After Update Function : https://prnt.sc/ZYIWFxjYCDnN
so preg_replace( '/\s*on\w+\s*=\s*["\']?.*?["\']?/i', '', $safe_text );
line
sanitized and escaped html
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62885#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list