[wp-trac] [WordPress Trac] #29572: Customizer: add a framework for rendering controls from JS templates
WordPress Trac
noreply at wordpress.org
Tue Oct 21 17:26:49 UTC 2014
#29572: Customizer: add a framework for rendering controls from JS templates
------------------------------------+-------------------------
Reporter: celloexpressions | Owner:
Type: feature request | Status: new
Priority: high | Milestone: 4.1
Component: Customize | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses: javascript
------------------------------------+-------------------------
Comment (by johnbillion):
The one remaining issue with [attachment:29572.2.diff] is that
`esc_html()` doesn't double-encode a string, but double braces in an
Underscore template will. This comes to light with Twenty Fifteen which
escapes its control label in PHP:
`'label' => esc_html__( 'Header & Sidebar Background Color',
'twentyfifteen' )`
The control label also gets escaped using double braces in the JS
template, so the ampersand gets double-encoded and ends up looking like
`Header & Sidebar Background Color`. In the PHP controls, `esc_html()`
is used and doesn't result in double-escaping.
We can fix this in Twenty Fifteen, but many other plugins and themes also
escape their control labels.
I think the solution is to explicitly decode data.label and
data.description before they're passed to the control template. This will
prevent double encoding.
@celloexpressions: thoughts?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29572#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list