Opened 12 months ago
Last modified 8 months ago
#58900 new defect (bug)
Escaping: Output String did not run through a proper escaping function
| Reported by: |
armondal
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 3.4 |
| Component: | Security | Keywords: | has-patch close |
| Focuses: | coding-standards | Cc: |
Description
In class-wp-customize-control.php on line 642 'New page title' did not run through any escaping function. I think esc_html_e() should be applied.
Change History (2)
This ticket was mentioned in PR #4898 on WordPress/wordpress-develop by @armondal.
12 months ago
#1
- Keywords has-patch added
#2
@
8 months ago
- Keywords close added
Hi there, welcome back to WordPress Trac! Thanks for the ticket.
Core translations are considered safe because we have a review process for them, see #42639 and the discussion in #30724. (Also related: #32233, #44637.)
In WordPress core and older bundled themes, strings are generally only escaped in attributes or in <option> tags.
Note: See
TracTickets for help on using
tickets.
Applying proper escaping function to the output strings
Trac ticket: