[wp-trac] [WordPress Trac] #43010: Attribute Name Escape
WordPress Trac
noreply at wordpress.org
Tue Jan 2 17:03:11 UTC 2018
#43010: Attribute Name Escape
-------------------------+-----------------------------
Reporter: joe_bopper | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
The HTML5 spec allows us to arbitrarily named attributes for tags, e.g.
'''''data-my-arb-attr-name'''="attr value"''. This allows for generated
attribute names and thus, a need to escape to avoid potential security
implications.
I have seen several occasions of developers using `esc_attr` to resolve
this case, however this is far from correct - the requirements of the name
of an attribute are very different to that of the value, the best example
of this simply being whitespace.
The requirements of an attribute name can be found here:
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
There is a need for an `esc_attr_name` function to avoid compromises in
html.
I have provided a simple addition patch to wp-includes/formatting.php
which should resolve this issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43010>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list