[wp-trac] [WordPress Trac] #57686: Introduce wp_trigger_error() to compliment _doing_it_wrong()
WordPress Trac
noreply at wordpress.org
Tue Sep 12 23:24:44 UTC 2023
#57686: Introduce wp_trigger_error() to compliment _doing_it_wrong()
-------------------------------------------------+-------------------------
Reporter: azaozz | Owner:
| hellofromTonya
Type: enhancement | Status: assigned
Priority: normal | Milestone: 6.4
Component: General | Version:
Severity: normal | Resolution:
Keywords: needs-dev-note has-patch has-unit- | Focuses:
tests commit |
-------------------------------------------------+-------------------------
Comment (by peterwilsoncc):
> The messy messages would be in the browser and log files. Users,
extenders, and contributors would all experience significantly less
readable and less understandable messages.
This is incorrect, with escaping & even double escaping the displayed
message is clearer in the browser when using the default PHP
implementation for displaying errors. Without escaping the message doesn't
display what was input.
With xdebug enabled, you are correct, the messages are double escaped but
WP can't assume that xdebug is running on production sites.
> IMO the discussion of escaping `trigger_error()` messages is beyond the
scope of this ticket.
>
> Why? Core does not and has not escaped messages or parts of a message
passed to its instances of `trigger_error()`. This includes in the
`_deprecated_*()` functions or `_doing_it_wrong()`. Thus a change here in
this ticket impacts those messages.
Again I disagree, without escaping those of us on this ticket are choosing
to introduce a cross-site-scripting vector. As WP handles double-escaping
if an extender is doing the right thing & following the advice in the
proposed docblock, then there is no effect on the display.
Had a hardening ticket being raised for the other functions then I think
escaping would have been added without hesitation. This new function is an
opportunity for WP to stop doing_it_wrong.
This is a
[https://gist.github.com/peterwilsoncc/87160c24a252d211cd9736ed57609d8c
gist of the mini-plugin] I was using to generate the images, it was
running with [https://github.com/WordPress/wordpress-develop/pull/5175
PR#5175] checked out.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57686#comment:43>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list