[wp-trac] [WordPress Trac] #62798: Twenty Seventeen: sanitize output of twentyseventeen_custom_colors_css()
WordPress Trac
noreply at wordpress.org
Tue Jun 24 10:26:12 UTC 2025
#62798: Twenty Seventeen: sanitize output of twentyseventeen_custom_colors_css()
-------------------------------------------------+-------------------------
Reporter: viralsampat | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Bundled Theme | Version:
Severity: normal | Resolution:
Keywords: dev-feedback needs-testing has- | Focuses: coding-
patch | standards
-------------------------------------------------+-------------------------
Comment (by rishabhwp):
== Reproduction Report
=== Description
This report validates whether the issue can be reproduced.
=== Environment
- WordPress: 6.9-alpha-60093-src
- PHP: 8.2.28
- Server: nginx/1.27.5
- Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
- Browser: Chrome 137.0.0.0
- OS: macOS
- Theme: Twenty Seventeen 3.9
- MU Plugins: None activated
- Plugins:
* Test Reports 1.2.0
=== Steps to Reproduce
1. Activate the Twenty Seventeen theme.
2. Add a filter in `functions.php`:
{{{#!php
add_filter( 'twentyseventeen_custom_colors_css', function( $css ) {
return $css . '<script>console.log("XSS");</script>';
} );
}}}
3. Go to ''Appearance → Customize → Colors'', adjust any custom color
value (e.g., accent hue).
4. You will see a popup with "XSS".
=== Actual Results
1. ✅ Error condition occurs (reproduced).
=== Supplemental Artifacts
[[Image(https://i.ibb.co/0jMh1nmQ/Screenshot-2025-06-24-at-3-46-41-PM.png)]]
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62798#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list