ryanwelcher
3/21/2018 - 3:31 PM

Incorrect escaping with sprintf


echo sprintf( esc_html__( '%s | %s', 'ms-research' ), '123434', '<script>alert(\'Sprintf\')</script>' );

echo esc_html__( sprintf( '%s | %s', '1234', '<script>alert(\'adsfasdfasdf\')</script>' ), 'ms-research' );


printf( esc_html__( 'Your city is %1$s, and your zip code is %2$s.', 'my-text-domain' ), 'Thing', '<script>alert(\'codex\')</script>' );