[wp-trac] [WordPress Trac] #30036: Add some escaping to $handle when printing styles.

WordPress Trac noreply at wordpress.org
Sun Oct 19 00:43:23 UTC 2014


#30036: Add some escaping to $handle when printing styles.
-----------------------------+------------------------------
 Reporter:  georgestephanis  |       Owner:
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Script Loader    |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+------------------------------

Comment (by georgestephanis):

 I'd be most comfortable if we used `esc_attr()` right before the output.
 That has the least chance for breakage on backward compatibility if
 someone's trying to call `wp_style_add_data()` on a funkily-named asset
 that had previously worked -- and now suddenly doesn't.

 If we were building the system from scratch and didn't have to worry about
 backward compatibility, I'd probably also add one on when the dependency
 is registered/enqueued, but still as we do tend to work off of globals,
 would probably want the added security of `esc_attr()`'ing the output.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/30036#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list