Get WordPress

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#56158 closed defect (bug) (invalid)

Twenty Fourteen: Unescaped 'src' of an 'img' tag in 'header.php’

Reported by: mahbubshovan's profile mahbubshovan Owned by: sergeybiryukov's profile sergeybiryukov
Milestone: Priority: normal
Severity: normal Version:
Component: Bundled Theme Keywords:
Focuses: coding-standards Cc:

Description

Hello everyone,

It's my first ticket in WordPress Core. Excited to contribute to WordPress Core. I've found an issue with an unescaped 'src' of an 'img' tag in 'wp-content/themes/twentyfourteen/header.php' in line 39. I think it should be escaped.

Attachments (3)

56158.patch (874 bytes) - added by amitbarai013 2 years ago.
Hi @Mahbub,
56158.2.patch (874 bytes) - added by amitbarai013 2 years ago.
Hi @Mahbub,
56158.3.patch (874 bytes) - added by amitbarai013 2 years ago.
Hi @Mahbub, thanks for sharing the issue with us. I have attached a patch related to this issue. I hope this will solve your issue. Thank you.

Download all attachments as: .zip

Change History (12)

@amitbarai013
2 years ago

Hi @Mahbub,

@amitbarai013
2 years ago

Hi @Mahbub,

@amitbarai013
2 years ago

Hi @Mahbub, thanks for sharing the issue with us. I have attached a patch related to this issue. I hope this will solve your issue. Thank you.

#1 @amitbarai013
2 years ago

sorry my pc made it 3 pathces. all of them are same sorry.

#2 @hztyfoon
2 years ago

Hey @amitbarai013 @mahbubshovan. 🤗
Welcome to WordPress core. Thanks for pointing the issue @mahbubshovan.

No worries. @amitbarai013 U've made rain of patches.
The patch looks good to me

#3 @ocean90
2 years ago

  • Component changed from Themes to Bundled Theme
  • Focuses administration removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from assigned to closed

Hello @mahbubshovan, welcome to WordPress Trac!

header_image() doesn't return the image URL but rather prints it directly and already uses esc_url() before doing that. You can review the source of the function in the code reference.

#4 @audrasjb
2 years ago

Hello and welcome to WordPress Core Trac!

Thanks @mahbubshovan for opening the ticket and thanks @amitbarai013 for the patch.

However, I'm not sure this is really needed since header_image() already uses esc_url() on the returned string.

Source code: https://github.com/WordPress/wordpress-develop/blob/6.0/src/wp-includes/theme.php#L1397-L1403

Also, the url returned by header_image() is not filterable, so it looks like the string can't be altered.

#5 @audrasjb
2 years ago

Ah Dominik beat me on this :)

(by the way, maybe we could consider adding a filter in header_image(), but that would be for another ticket!)

#6 @audrasjb
2 years ago

  • Version trunk deleted

#7 @SergeyBiryukov
2 years ago

  • Summary changed from I've found an unescaped 'src' of an 'img' tag in 'wp-content/themes/twentyfourteen/header.php’ in line no 39. I think it should be escaped to Twenty Fourteen: Unescaped 'src' of an 'img' tag in 'header.php’

#8 @hztyfoon
2 years ago

Hey @audrasjb. 🤗
Thanks a lot for your kind remarks.

I tried to implement your idea.
I thought rather than creating a new ticket I can just share the work here so that you all can see if it looks good, rather than creating a ticket that may later be closed. 😊

Here's what I did:https://github.com/hz-tyfoon/wordpress-develop/commit/a04d438acedb5357c86faa06c19a8c574de3527f

Would U be kind to let me know how it looks...?

#9 @audrasjb
2 years ago

Hello @hztyfoon, that change looks good to me, would you mind opening a ticket for this?
Thanks!

Note: See TracTickets for help on using tickets.