[wp-trac] [WordPress Trac] #58251: Escaping issue found while echoing attribute's dynamic value in html attribute.

WordPress Trac noreply at wordpress.org
Wed Jul 5 20:57:11 UTC 2023 

#58251: Escaping issue found while echoing attribute's dynamic value in html
attribute.
-----------------------------------------------+---------------------------
 Reporter:  madhusudandev                      |       Owner:  (none)
     Type:  defect (bug)                       |      Status:  new
 Priority:  normal                             |   Milestone:  6.3
Component:  Toolbar                            |     Version:
 Severity:  normal                             |  Resolution:
 Keywords:  has-patch changes-requested close  |     Focuses:  coding-
                                               |  standards
-----------------------------------------------+---------------------------
Changes (by hellofromTonya):

 * keywords:  has-patch changes-requested => has-patch changes-requested
               close


Comment:

 I agree with @azaozz. Escaping is not needed in this instance.

 Why not escape?
 There's no security risk within its value at the time it's echoed out.

 Why no security risk?
 The `$class` variable:
 1. is set to a static string, meaning there's no data being passed it from
 other sources such as other code, database, or user input.
 2. is contained within a function, i.e. has function scope, making it not
 accessible outside of the `_render()` method.

 I can appreciate why @madhusudandev requested the escaping change (hello
 and thank you). But in this case, there's no security increase by adding
 the `esc_` or doing more processing. Instead, the change would increase
 processing time and could cause confusion for contributors who see that it
 is a static string value.

 What about an inline comment to explain why it's not escaped?
 Would this help with understanding the code? If yes, then I'd suggest
 opening a separate Trac ticket to globally apply the inline commit to all
 static value instances. Rather than adding 1 comment for this 1 instance,
 instead add the comment to all instances.

 I'm marking this ticket as a `close` candidate.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58251#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list