[wp-trac] [WordPress Trac] #33472: Templating Engine

WordPress Trac noreply at wordpress.org
Wed Apr 28 18:12:43 UTC 2021

#33472: Templating Engine
 Reporter:  KalenJohnson     |       Owner:  (none)
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Themes           |     Version:  4.4
 Severity:  normal           |  Resolution:
 Keywords:  ongoing          |     Focuses:  administration, template

Comment (by iandunn):

 > Automattic escaping

 That's one of my favorite things about React (well, JSX really). Output is
 '''secure by default''', and you have to use `dangerouslySetInnerHTML()`
 to output raw data. It's intentionally named to make it obvious that you
 should really know what you're doing if you're going to use it.

 Using it also serves as a signal that the dev is intentionally outputting
 unescaped HTML. That cuts down on false-positives in linting tools, making
 it easier to [https://make.wordpress.org/meta/2021/04/27/automatically-
 catching-bugs-in-plugins/ integrate into workflows] and saving time during

 Since the transition for plugin/theme authors seems relatively painless,
 XSS could almost be eliminated in plugins/themes that adopt it.


 > focus this discussion on "How should we extend WordPress so that we can
 smoothly drop in different templating engines?". This is a much more
 future-proof approach, and whatever the current trendy engine of choice is
 will not limit us in a few years.

 I agree, and like [https://developer.wordpress.org/block-editor/reference-
 guides/packages/packages-element/ the approach that Gutenberg took with
 abstracting React]. We're
 util.js#L31-L36 kind of already doing something similar with Underscore
 templates]. The engine could change as long as the syntax didn't.

Ticket URL: <https://core.trac.wordpress.org/ticket/33472#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list