#54279 closed enhancement (fixed)
Unescaped echo in wp-includes/general-template.php
| Reported by: |
sabbirshouvo
|
Owned by: |
SergeyBiryukov
|
|---|---|---|---|
| Milestone: | 5.9 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Login and Registration | Keywords: | has-patch commit |
| Focuses: | coding-standards | Cc: |
Description
In wp-includes/general-template.php -> wp_login_form() there are unescaped value for form name & id that should be properly escaped with esc_attr()
Attachments (2)
Change History (10)
#1
@
3 years ago
- Component changed from General to Login and Registration
- Milestone changed from Awaiting Review to 5.9
- Version trunk deleted
#2
@
3 years ago
@mukesh27 sure it's possible. I'm looking into the codes and will make necessary adjustment to the patch.
#4
@
3 years ago
- Type changed from defect (bug) to enhancement
According to WordPress Coding Standards, the rule here is to escape late, so better not using those variables.
#5
@
3 years ago
I prefer the 54279.diff patch to 54279.3.diff. It escapes late like @audrasjb suggested.
#6
@
3 years ago
- Keywords commit added
Adding commit keyword for 54279.diff which is the best option according to WordPress Coding Standards.
#7
@
3 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 51926:
This ticket was mentioned in Slack in #core by sergey. View the logs.
3 years ago
Note: See
TracTickets for help on using
tickets.
Hi there, thanks for the ticket and patch!
The patch looks good to me just one thought, For below three variable we used two times
esc_attrcan we assign escape value in single variable and pass it?esc_attr( $args['form_id'] )esc_attr( $args['id_username'] )esc_attr( $args['id_password'] )Moving to milestone
5.9.