[wp-trac] [WordPress Trac] #50867: An API which encourages automatic escaping of HTML

WordPress Trac noreply at wordpress.org
Wed Jan 17 00:49:09 UTC 2024 

#50867: An API which encourages automatic escaping of HTML
-------------------------------------------------+-------------------------
 Reporter:  noisysocks                           |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  General                              |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-unit-tests needs-    |     Focuses:
  docs dev-feedback 2nd-opinion                  |
-------------------------------------------------+-------------------------

Comment (by dmsnell):

 I've created a new proposal based on the HTML API whose only purpose is to
 create a new tag. Although I will add illustrative tests soon, my day is
 over and I need to sign off for now, but I wanted to share this.

 Originally I had hoped that we could get a much more valuable HTML
 templating system into 6.5, but over the past week I've realized that's a
 bit too rushed.

 With `WP_HTML::tag()` it's possible to create safe HTML. It doesn't
 support nested tags at the moment, as I think that opens some of the more
 complicated design questions that templating does. Still, when the time
 comes, I think we'll find that we have to wrap any inner tags in a class
 to ensure that we don't invite unsafe string operations that could break
 the output; that class would be a call to `WP_HTML::tag()` or some
 variant, meaning the _only_ user- or develop-input we allow ends up as an
 encoded string _or_ the result of calling `WP_HTML::tag()` with encoded
 strings.

 This is different than general purpose templating and it won't be usable
 everywhere, but already it provides a helpful utility with additional
 conveniences over current HTML-generating PHP code. For instance, it's
 possible to pass attribute values as `true` for a boolean attribute or
 `false` to ensure no attribute of the given name appears in the markup.

 {{{#!php
 <?php
 echo WP_HTML::tag( 'div', array( 'class' => 'is-safe' ), 'Hello, world!'
 );
 // <div class="is-safe">Hello, world!</div>

 echo WP_HTML::tag( 'input', array( 'type' => '"></script>', 'disabled' =>
 true ), 'Is this > that?' );
 // <input type=""></script>" disabled>

 echo WP_HTML::tag( 'p', null, 'Is this > that?' );
 // <p>Is this > that?</p>

 echo WP_HTML::tag( 'wp-emoji', array( 'name' => ':smile:' ), null, 'self-
 closing' );
 // <wp-emoji name=":smile:" />
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50867#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list