[wp-trac] [WordPress Trac] #23012: Refresh the code for the default widgets
WordPress Trac
noreply at wordpress.org
Fri Jul 3 13:29:02 UTC 2015
#23012: Refresh the code for the default widgets
-------------------------------------------------+-------------------------
Reporter: Viper007Bond | Owner: chriscct7
Type: enhancement | Status: reviewing
Priority: normal | Milestone: Future
Component: Widgets | Release
Severity: normal | Version: 3.5
Keywords: good-first-bug has-patch dev- | Resolution:
feedback | Focuses:
-------------------------------------------------+-------------------------
Comment (by welcher):
Replying to [comment:19 chriscct7]:
> @welcher The changes like ```esc_html_e( 'Page IDs, separated by
commas.' );``` where the string is hardcoded don't need to be escaped
(because they are hardcoded). Running esc_html on those just is a little
performance hit for no real gain there
>
Anything that is being translated is potentially an attack vector if the
output is not escaped. It's not the hardcoded string in the method that is
the concern but rather the translated string. It is common practice to
escape translated output when working with WordPress.com VIP and while I
realize this is not VIP, I think having these in-place provided a good
example for those that may be using these widgets as a starting point. I
personally think the small amount of performance hit is worth the security
gain.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/23012#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list