#1999 closed defect (bug) (fixed)
Use esc_ ...attr/html... _e() where appropriate
Reported by: | johnjamesjacoby | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 2.4 | Priority: | normal |
Severity: | normal | Version: | 2.1 |
Component: | Tools - Code Improvements | Keywords: | |
Cc: |
Description (last modified by )
There are places where we used the typical __() and _e() functions. We should audit their usages, and use the escaping equivalents where it makes sense to.
Attachments (3)
Change History (23)
#4
@
12 years ago
- Milestone changed from 2.2 to 2.3
Moving to 2.3 milestone. Not a blocker, and 2.2 is overdue.
#5
@
12 years ago
- Milestone changed from 2.3 to 2.4
Moving to 2.4. We can still iterate on this over time if we'd like to.
#6
@
11 years ago
Done by the above patches:
- Remove the use of esc_attr and sanitize_text_field from bbp_get_displayed_user_field() function.
- Use the proper functions to escape the returned value in some uses of bbp_get_displayed_user_field().
There was a bug related to this when you enable some HTML in the user description, It was stripped out which makes hard to fix :)
I am not sure about the reason of using sanitize_text_field(), So I need dev feedback about this.
#11
@
11 years ago
jjj, not all the values returned from bbp_get_displayed_user_field() function are attributes, I vote to remove the escape function from bbp_get_displayed_user_field() and bbp_displayed_user_field() functions
#13
@
11 years ago
Thanks jjj,
Can we remove the use of sanitize_text_field() function in the bbp_get_displayed_user_field() ?
it doesn't make sense for me, especially when we want to allow some HTML tags in the user bio.
(In [4279]) Code Improvement: