Fix: Add proper escaping for theme actions in themes.php #7790
Conversation
Adds proper escaping for theme name outputs and URLs in the themes.php file: - Add esc_html() for theme name output - Add esc_url() for customize and activate action URLs - Add esc_attr() for aria labels - Maintain existing translations and template functionality This prevents potential XSS vulnerabilities in theme management interface.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
|
Did you mean to close this out? |
|
Hey @desrosj, Thanks for asking! I did mean to close this. The moment I created this PR, another PR for the same issue was created and merged ( since the issue addressed security concerns and timing was important ). Now that the issue stands resolved, I had to close the PR. |
|
Ah ha! Thanks, I see that duplicate ticket now. Appreciate the attempt to fix this. |
This PR adds proper escaping for theme names, URLs, and attributes in the themes.php file to prevent potential vulnerabilities.
Changes Made:
esc_html()escaping for theme name outputsesc_url()escaping for theme action URLs: