[wp-trac] [WordPress Trac] #57686: Introduce wp_trigger_error() to compliment _doing_it_wrong()

WordPress Trac noreply at wordpress.org
Tue Sep 12 23:24:44 UTC 2023 

#57686: Introduce wp_trigger_error() to compliment _doing_it_wrong()
-------------------------------------------------+-------------------------
 Reporter:  azaozz                               |       Owner:
                                                 |  hellofromTonya
     Type:  enhancement                          |      Status:  assigned
 Priority:  normal                               |   Milestone:  6.4
Component:  General                              |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  needs-dev-note has-patch has-unit-   |     Focuses:
  tests commit                                   |
-------------------------------------------------+-------------------------

Comment (by peterwilsoncc):

 > The messy messages would be in the browser and log files. Users,
 extenders, and contributors would all experience significantly less
 readable and less understandable messages.

 This is incorrect, with escaping & even double escaping the displayed
 message is clearer in the browser when using the default PHP
 implementation for displaying errors. Without escaping the message doesn't
 display what was input.

 With xdebug enabled, you are correct, the messages are double escaped but
 WP can't assume that xdebug is running on production sites.

 > IMO the discussion of escaping `trigger_error()` messages is beyond the
 scope of this ticket.
 >
 > Why? Core does not and has not escaped messages or parts of a message
 passed to its instances of `trigger_error()`. This includes in the
 `_deprecated_*()` functions or `_doing_it_wrong()`. Thus a change here in
 this ticket impacts those messages.

 Again I disagree, without escaping those of us on this ticket are choosing
 to introduce a  cross-site-scripting vector. As WP handles double-escaping
 if an extender is doing the right thing & following the advice in the
 proposed docblock, then there is no effect on the display.

 Had a hardening ticket being raised for the other functions then I think
 escaping would have been added without hesitation. This new function is an
 opportunity for WP to stop doing_it_wrong.

 This is a
 [https://gist.github.com/peterwilsoncc/87160c24a252d211cd9736ed57609d8c
 gist of the mini-plugin] I was using to generate the images, it was
 running with [https://github.com/WordPress/wordpress-develop/pull/5175
 PR#5175] checked out.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57686#comment:43>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list