[wp-trac] [WordPress Trac] #46188: esc_html does not have support for multiline output. esc_br_html or line-breaking parameter for esc_html is missing

WordPress Trac noreply at wordpress.org
Sat Mar 2 12:24:33 UTC 2019 

#46188: esc_html does not have support for multiline output. esc_br_html or line-
breaking parameter for esc_html is missing
-------------------------+------------------------------
 Reporter:  KestutisIT   |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Formatting   |     Version:  5.0.3
 Severity:  normal       |  Resolution:
 Keywords:  needs-patch  |     Focuses:  template
-------------------------+------------------------------

Comment (by KestutisIT):

 Replying to [comment:3 timph]:
 > If your user is entering it in some sort of textarea field and you're
 wanting them to have a visual representation there's the wp_editor()
 function to create a visual editor (tinymce instance), and one of the
 configurations you can pass in is for wpautop behavior.

 This is a bad suggestion that is against secure code practices. Secure
 code practices says that we should give the **LEAST POSSIBLE**
 access/rights to our users. So, if we don't need then to give a HTML
 rights, and that is i.e. "Notes" field in some kind of booking/reservation
 field, it is **enough** to give the user plain textarea with ability to
 enter multiple lines. That is a secure code practice. If we do not follow
 it, we would go into vulnerable-plugin situation with the things like this
 where all WP version are vulnerable until 5.0.3 that had this kind of
 permissions - https://thehackernews.com/2019/02/wordpress-remote-code-
 execution.html , while if only the plain text is allowed and line breaks -
 the website would not be affected, and all the website using that plugin
 would not become ready-for-hacking.

 The standard way to preserve the line breaks is via BR HTML tag or \n
 character. Everything else is out of scope, custom hacks that are not
 well-know standards. If I have to escape the content - as WordPress says -
 escape all output, and I run the default esc_html(..) I don't see any way
 how wpautop would help here anyhow.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/46188#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list