[wp-trac] [WordPress Trac] #58251: Escaping issue found while echoing attribute's dynamic value in html attribute.
WordPress Trac
noreply at wordpress.org
Fri Jul 14 21:16:11 UTC 2023
#58251: Escaping issue found while echoing attribute's dynamic value in html
attribute.
-----------------------------+-------------------------------
Reporter: madhusudandev | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Toolbar | Version:
Severity: normal | Resolution: invalid
Keywords: has-patch close | Focuses: coding-standards
-----------------------------+-------------------------------
Changes (by azaozz):
* status: new => closed
* resolution: => invalid
* milestone: 6.3 =>
Comment:
Replying to [comment:23 hellofromTonya]:
> Escaping is not needed in this instance.
> ...
> I'm marking this ticket as a `close` candidate.
Sounds good.
@gaambo
> every variable (even with hardcoded contents) should be escaped
I don't see explicit mention that hard-coded strings should be escaped.
But you're right, the quoted text seems to suggests that.
Unfortunately I don't see the reason why hard-coded strings need to be
escaped or "pre-processed" in any way if they meet the standards for the
intended use. In this case the `$class` is hard-coded to `nojq nojs` and
`mobile` may be appended. The syntax of the `$class` strings meets the
specific requirements for its intended use and there is no chance for it
to be changed to anything else or to stop meeting these requirements.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58251#comment:26>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list