[wp-trac] [WordPress Trac] #57110: Correctly some attributes escape is missing in this ( wp-admin/includes/nav-menu.php ) file.
WordPress Trac
noreply at wordpress.org
Fri Mar 31 16:04:00 UTC 2023
#57110: Correctly some attributes escape is missing in this ( wp-admin/includes
/nav-menu.php ) file.
--------------------------+-----------------------------------------------
Reporter: zenaulislam | Owner: SergeyBiryukov
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 6.3
Component: Menus | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: administration, coding-standards
--------------------------+-----------------------------------------------
Changes (by SergeyBiryukov):
* status: closed => reopened
* resolution: fixed =>
Comment:
Replying to [comment:5 SergeyBiryukov]:
> It would be more consistent with some existing instances to only escape
the variable, e.g.
> {{{
> <div id="posttype-<?php echo esc_attr( $post_type_name ); ?>"
class="posttypediv">
> }}}
> instead of:
> {{{
> <div id="<?php echo esc_attr( 'posttype-' . $post_type_name ); ?>"
class="posttypediv">
> }}}
Ah, it looks like I missed [https://github.com/WordPress/wordpress-
develop/pull/3626#discussion_r1023000343 Juliette's comment] here that the
latter is actually best practice:
> Here and in other places: it is best to always escape the complete value
of an attribute, not a partial value, as otherwise the escaping could be
(partially) undone when the values are joined together.
>
> While the hard-coded prefix/suffix values in this case don't necessarily
create that risk, those may change to values which could be problematic,
so making it a habit to escape the value in one go is best practice.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57110#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list