[wp-trac] [WordPress Trac] #21627: Filter for custom-background CSS selector

WordPress Trac noreply at wordpress.org
Fri Dec 2 18:47:14 UTC 2016

#21627: Filter for custom-background CSS selector
 Reporter:  Horttcore                            |       Owner:
     Type:  enhancement                          |  peterwilsoncc
 Priority:  low                                  |      Status:  assigned
Component:  Customize                            |   Milestone:  4.8
 Severity:  minor                                |     Version:  3.4.1
 Keywords:  needs-testing needs-unit-tests       |  Resolution:
  needs-patch                                    |     Focuses:
Changes (by westonruter):

 * keywords:  has-patch needs-testing needs-unit-tests => needs-testing
     needs-unit-tests needs-patch
 * milestone:  Future Release => 4.8


 @peterwilsoncc the background settings being added in
 `WP_Customize_Manager` should not be escaped because they are part of an
 array that will be safely serialized to JSON, and escaping should only be
 done at printing time.

 In terms of escaping, you can look at `wp_custom_css_cb()` which escapes
 just by doing `strip_tags`. The key need there is to ensure that a user
 doesn't enter `</style>` or any `script` tags. It's important to not use
 `esc_html()` because that will corrupt descendant selectors, like `html
 > body`.

 That being said, I don't think escaping is entirely appropriate because
 the selector is being defined statically in code. It's not coming from
 user data.

Ticket URL: <https://core.trac.wordpress.org/ticket/21627#comment:26>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list