Users: Add missing escaping on the Add New User screen.

While the `$type` and `$label` variables are set to values that do not currently require escaping, this may change in the future, so it is preferable to add the escaping as a defensive coding measure. Follow-up to [16294], [29030]. Props monzuralam, rudlinkon, hztyfoon, peterwilsoncc. Fixes #57133. git-svn-id: https://develop.svn.wordpress.org/trunk@54857 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2022-11-18 15:19:07 +00:00
parent 4b5931521b
commit 868709a4e7
1 changed files with 2 additions and 2 deletions
--- a/src/wp-admin/user-new.php
+++ b/src/wp-admin/user-new.php
@@ -442,8 +442,8 @@ if ( is_multisite() && current_user_can( 'promote_users' ) ) {

 <table class="form-table" role="presentation">
 	<tr class="form-field form-required">
-		<th scope="row"><label for="adduser-email"><?php echo $label; ?></label></th>
-		<td><input name="email" type="<?php echo $type; ?>" id="adduser-email" class="wp-suggest-user" value="" /></td>
+		<th scope="row"><label for="adduser-email"><?php echo esc_html( $label ); ?></label></th>
+		<td><input name="email" type="<?php echo esc_attr( $type ); ?>" id="adduser-email" class="wp-suggest-user" value="" /></td>
 	</tr>
 	<tr class="form-field">
 		<th scope="row"><label for="adduser-role"><?php _e( 'Role' ); ?></label></th>