[wp-trac] [WordPress Trac] #63675: Sanitize request values and improve translatable strings in edit-comments.php
WordPress Trac
noreply at wordpress.org
Tue Jul 8 18:02:53 UTC 2025
#63675: Sanitize request values and improve translatable strings in edit-
comments.php
---------------------------+------------------------------
Reporter: sandippatel11 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Comments | Version: 6.8
Severity: minor | Resolution:
Keywords: has-patch | Focuses: administration
---------------------------+------------------------------
Changes (by sabernhardt):
* keywords: has-patch needs-testing => has-patch
* focuses: accessibility, administration, coding-standards, php-
compatibility => administration
Old description:
> This patch addresses a small security and translation-related improvement
> in the `wp-admin/edit-comments.php` file:
>
> ---
>
> 1. Sanitization of Request Inputs
>
> Currently, `$_REQUEST['comment_status']` and
> `$_REQUEST['pagegen_timestamp']` are used directly after `wp_unslash()`:
>
> $comment_status = wp_unslash( $_REQUEST['comment_status'] );
> $delete_time = wp_unslash( $_REQUEST['pagegen_timestamp'] );
>
> 2. Translatable String Formatting
>
> $messages[] = __( 'This comment is already approved.' ) . sprintf(
> ' <a href="%1$s">%2$s</a>',
> esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ),
> __( 'Edit comment' )
> );
> is refactored into a single sprintf()-wrapped translatable string:
> $messages[] = sprintf(
> __( 'This comment is already approved. <a href="%s">Edit comment</a>'
> ),
> esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) )
> );
New description:
This patch addresses a small security and translation-related improvement
in the `wp-admin/edit-comments.php` file:
1. Sanitization of Request Inputs
Currently, `$_REQUEST['comment_status']` and
`$_REQUEST['pagegen_timestamp']` are used directly after `wp_unslash()`:
{{{
$comment_status = wp_unslash( $_REQUEST['comment_status'] );
$delete_time = wp_unslash( $_REQUEST['pagegen_timestamp'] );
}}}
2. Translatable String Formatting
{{{
$messages[] = __( 'This comment is already approved.' ) . sprintf(
' <a href="%1$s">%2$s</a>',
esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ),
__( 'Edit comment' )
);
}}}
is refactored into a single `sprintf()`-wrapped translatable string:
{{{
$messages[] = sprintf(
__( 'This comment is already approved. <a href="%s">Edit comment</a>'
),
esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) )
);
}}}
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63675#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list