[wp-trac] [WordPress Trac] #54127: Twenty Twenty-One: Missing esc_html__() in functions.php

WordPress Trac noreply at wordpress.org
Wed Sep 15 19:31:19 UTC 2021 

#54127: Twenty Twenty-One: Missing esc_html__() in functions.php
---------------------------+-------------------------------
 Reporter:  teucrium       |       Owner:  (none)
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Bundled Theme  |     Version:  5.8.1
 Severity:  minor          |  Resolution:
 Keywords:  has-patch      |     Focuses:  coding-standards
---------------------------+-------------------------------

Comment (by SergeyBiryukov):

 Replying to [comment:3 muhammadfaizanhaidar]:
 > I have uploaded a patch for this ticket but I think it's better if we
 add escape functions to all bundled themes? Because I can see them missing
 in other themes too.

 Thanks for the patch!

 Previously, the point of view here was that core translations (including
 bundled themes) are considered safe because we have a review process for
 them, see #42639 and the discussion in #30724. (Also related: #32233.)

 In WordPress core and older bundled themes, strings are generally only
 escaped in attributes or in `<option>` tags.

 Some other related tickets: #47384, #47385, #49535, #49536, #49537.

 This was recently reconsidered for the Twenty Twenty-One theme, see the
 discussion in
 [https://wordpress.slack.com/archives/C02RP4VMP/p1608576953179600 #core-
 themes on Slack].

 As the purpose of bundled themes is to demonstrate best practices, they
 should use proper escaping so that the code copied from or based on these
 themes also uses correct escaping. This has been addressed for Twenty
 Twenty-One and will be addressed for newer bundled themes going forward.

 For updating the escaping in older themes though, there is no consensus
 yet, see the
 [https://wordpress.slack.com/archives/C02RP4VMP/p1608586193219600 second
 part of the discussion]. This should probably be discussed with the Themes
 team. Personally, I think either way is fine. As these themes are
 periodically updated for better block editor support, I guess we could
 address the escaping as well.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54127#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list