[wp-trac] [WordPress Trac] #58127: Twenty Eleven: Add escaping as per the WordPress VIP standards

[WordPress Trac]

#58127: Twenty Eleven: Add escaping as per the WordPress VIP standards
-------------------------------------+------------------------------
 Reporter:  himshekhar07             |       Owner:  (none)
     Type:  enhancement              |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  Bundled Theme            |     Version:
 Severity:  normal                   |  Resolution:
 Keywords:  needs-patch 2nd-opinion  |     Focuses:
-------------------------------------+------------------------------

Comment (by sabernhardt):

 I do not recommend escaping translatable strings //on this ticket//, and
 it likely is not worth doing if themes such as Twenty Eleven
 [https://make.wordpress.org/core/2023/05/16/proposal-retiring-older-
 default-themes/ might be retired soon].

 However, the search query escaping is inconsistent.

 1. Twenty Twenty's `$archive_title` runs through `wp_kses_post()` in
 `index.php`:
 {{{
 $archive_title = sprintf(
         '%1$s %2$s',
         '<span class="color-accent">' . __( 'Search:', 'twentytwenty' ) .
 '</span>',
         '“' . get_search_query() . '”'
 );
 }}}
 2. Twenty Sixteen and Twenty Twenty-One have `esc_html()` inside a `span`:
 {{{
 // Twenty Sixteen search.php
 printf( __( 'Search Results for: %s', 'twentysixteen' ), '<span>' .
 esc_html( get_search_query() ) . '</span>' );
 // Twenty Twenty-One search.php and template-parts\content\content-
 none.php
 '<span class="page-description search-term">' . esc_html(
 get_search_query() ) . '</span>'
 }}}
 3. Some `search.php` templates do not escape within the `span`:
 {{{
 // pattern in Twenty Ten, Twenty Eleven, Twenty Twelve and Twenty
 Seventeen
 printf( __( 'Search Results for: %s', 'twentyseventeen' ), '<span>' .
 get_search_query() . '</span>' );
 // Twenty Nineteen search.php
 <span class="page-description"><?php echo get_search_query(); ?></span>
 }}}
 4. Other `search.php` templates do not escape inside the `h1` (without a
 `span`):
 {{{
 // pattern for Twenty Thirteen, Twenty Fourteen and Twenty Fifteen:
 printf( __( 'Search Results for: %s', 'twentyfifteen' ),
 get_search_query() );
 }}}
 5. The function output is not escaped inside value attributes (which may
 be unnecessary).
 {{{
 // Twenty Sixteen searchform.php
 <input type="search" class="search-field" placeholder="<?php echo
 esc_attr_x( 'Search …', 'placeholder', 'twentysixteen' ); ?>"
 value="<?php echo get_search_query(); ?>" name="s" />
 // Twenty Seventeen searchform.php
 <input type="search" id="<?php echo $unique_id; ?>" class="search-field"
 placeholder="<?php echo esc_attr_x( 'Search …', 'placeholder',
 'twentyseventeen' ); ?>" value="<?php echo get_search_query(); ?>"
 name="s" />
 // Twenty Twenty searchform.php
 <input type="search" id="<?php echo esc_attr( $twentytwenty_unique_id );
 ?>" class="search-field" placeholder="<?php echo esc_attr_x( 'Search
 …', 'placeholder', 'twentytwenty' ); ?>" value="<?php echo
 get_search_query(); ?>" name="s" />
 // Twenty Twenty-One searchform.php
 <input type="search" id="<?php echo esc_attr( $twentytwentyone_unique_id
 ); ?>" class="search-field" value="<?php echo get_search_query(); ?>"
 name="s" />
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58127#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform