[wp-trac] [WordPress Trac] #21627: Filter for custom-background CSS selector
WordPress Trac
noreply at wordpress.org
Fri Dec 2 18:47:14 UTC 2016
#21627: Filter for custom-background CSS selector
-------------------------------------------------+-------------------------
Reporter: Horttcore | Owner:
Type: enhancement | peterwilsoncc
Priority: low | Status: assigned
Component: Customize | Milestone: 4.8
Severity: minor | Version: 3.4.1
Keywords: needs-testing needs-unit-tests | Resolution:
needs-patch | Focuses:
-------------------------------------------------+-------------------------
Changes (by westonruter):
* keywords: has-patch needs-testing needs-unit-tests => needs-testing
needs-unit-tests needs-patch
* milestone: Future Release => 4.8
Comment:
@peterwilsoncc the background settings being added in
`WP_Customize_Manager` should not be escaped because they are part of an
array that will be safely serialized to JSON, and escaping should only be
done at printing time.
In terms of escaping, you can look at `wp_custom_css_cb()` which escapes
just by doing `strip_tags`. The key need there is to ensure that a user
doesn't enter `</style>` or any `script` tags. It's important to not use
`esc_html()` because that will corrupt descendant selectors, like `html
> body`.
That being said, I don't think escaping is entirely appropriate because
the selector is being defined statically in code. It's not coming from
user data.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21627#comment:26>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list