[wp-trac] [WordPress Trac] #57686: Introduce wp_trigger_error() to compliment _doing_it_wrong()

WordPress Trac noreply at wordpress.org
Thu Sep 7 21:01:08 UTC 2023 

#57686: Introduce wp_trigger_error() to compliment _doing_it_wrong()
-------------------------------------------------+-------------------------
 Reporter:  azaozz                               |       Owner:
                                                 |  hellofromTonya
     Type:  enhancement                          |      Status:  assigned
 Priority:  normal                               |   Milestone:  6.4
Component:  General                              |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  needs-dev-note has-patch has-unit-   |     Focuses:
  tests commit                                   |
-------------------------------------------------+-------------------------

Comment (by flixos90):

 @hellofromTonya Regarding the escaping, my 2 cents is that we should
 **avoid escaping in these functions entirely**, for the following reasons:

 * None of these functions have historically escaped their messages, and
 given this was never raised as a problem (as far as I'm aware) I'm not
 convinced now is a good reason to start auto-escaping.
 * Automatically escaping, as great as it would be if possible, is
 unreliable, as we can tell from this alone. Escaping is not a "one size
 fits all" thing: Sometimes it is about escaping all HTML (`esc_html()`),
 while other times it is about stripping all HTML except a certain set of
 tags or attributes (see `wp_kses()`).
 * Other related functions like `wp_die()` do not automatically escape
 either, instead developers should escape the content that they pass to it
 as needed.
 * `trigger_error()` does not escape what is passed to it, so why should
 `wp_trigger_error()` do so? I think that mixes up responsibilities, in
 addition to the above problems.

 While it would be great if somehow WordPress core could automatically
 escape anything anywhere, in reality this is something that is
 responsibility of the individual developer since in most cases it can't be
 centrally handled. We already have WordPress coding standards that flag
 any missing escaping, and I think we should continue to rely on those.

 So I think we should remove the `esc_html()` call from
 `wp_trigger_error()`.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57686#comment:34>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list