mirror_php/wordpress
1
0
Fork 0
mirror of git://develop.git.wordpress.org/ synced 2025-03-21 12:29:53 +01:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Security: Remove use of innerHTML in the the_block_template_skip_link() function.

Browse Source 
There is no need to support HTML in this string and switching to `innerText` helps facilitate a more restrictive Content Security Policy.

Props micromadness, sabernhardt

Fixes #58765

git-svn-id: https://develop.svn.wordpress.org/trunk@59831 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
John Blackbourn 2025-02-17 16:23:52 +00:00
parent 315cd6de21
commit a1440ae4e1
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/wp-includes/theme-templates.php
View File

@ -205,7 +205,7 @@ function wp_enqueue_block_template_skip_link() {
skipLink.classList.add( 'skip-link', 'screen-reader-text' );
skipLink.id = 'wp-skip-link';
skipLink.href = '#' + skipLinkTargetID;
skipLink.innerHTML = '<?php /* translators: Hidden accessibility text. */ esc_html_e( 'Skip to content' ); ?>';
skipLink.innerText = '<?php /* translators: Hidden accessibility text. Do not use HTML entities (&nbsp;, etc.). */ esc_html_e( 'Skip to content' ); ?>';
// Inject the skip link.
sibling.parentElement.insertBefore( skipLink, sibling );