[wp-trac] [WordPress Trac] #56007: Correct the escaping in documentation lookup for plugin and theme editor
WordPress Trac
noreply at wordpress.org
Sat Jun 18 18:47:06 UTC 2022
#56007: Correct the escaping in documentation lookup for plugin and theme editor
----------------------------+-----------------------
Reporter: SergeyBiryukov | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.1
Component: Administration | Version:
Severity: normal | Keywords: has-patch
Focuses: |
----------------------------+-----------------------
There is some similar code for documentation lookup in plugin and theme
code editors.
`wp-admin/plugin-editor.php`:
{{{
if ( '.php' === substr( $real_file, strrpos( $real_file, '.' ) ) ) {
$functions = wp_doc_link_parse( $content );
if ( ! empty( $functions ) ) {
$docs_select = '<select name="docs-list" id="docs-
list">';
$docs_select .= '<option value="">' . __( 'Function
Name…' ) . '</option>';
foreach ( $functions as $function ) {
$docs_select .= '<option value="' . esc_attr(
$function ) . '">' . esc_html( $function ) . '()</option>';
}
$docs_select .= '</select>';
}
}
}}}
`wp-admin/theme-editor.php`:
{{{
if ( '.php' === substr( $file, strrpos( $file, '.' ) ) ) {
$functions = wp_doc_link_parse( $content );
$docs_select = '<select name="docs-list" id="docs-list">';
$docs_select .= '<option value="">' . esc_attr__( 'Function
Name…' ) . '</option>';
foreach ( $functions as $function ) {
$docs_select .= '<option value="' . esc_attr( urlencode(
$function ) ) . '">' . htmlspecialchars( $function ) . '()</option>';
}
$docs_select .= '</select>';
}
}}}
How many differences can you find? :) Over the years, both of these
fragments evolved in slightly different ways:
* [10607] / #9184 introduced documentation lookup shortcuts both for the
plugin and theme editor.
* [10879] / #9452 replaced `urlencode()` with `attribute_escape()`, later
`esc_attr()`, in the plugin editor.
* [11110] / #9650 added `_a()`, later `esc_attr__()`, for "Function
Name..." in the theme editor.
* [11173] added attribute escaping for `$function` in the theme editor,
without removing `urlencode()`.
* [11204] / #9650 replaced `attr()` with `esc_attr()` and `_a()` with
`esc_attr__()`.
* [11671] / #10262 added a `! empty( $functions )` check for the plugin
editor.
* [14989] replaced `htmlspecialchars()` with `esc_html()` in the plugin
editor.
The attached patch brings some consistency:
* The `! empty( $functions )` check only existed in the plugin editor, it
should be added to the theme editor too.
* "Function Name..." is an option label, not an attribute, so
`esc_html__()` would be the correct function here.
* `esc_attr( urlencode( $function ) )` in the theme editor is redundant,
just `esc_attr()` is enough there.
* `htmlspecialchars( $function )` in the theme editor can be replaced with
`esc_html( $function )`.
Noticed and patched in a working session on #53465 with @aristath,
@justinahinon, @poena, and @SergeyBiryukov.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56007>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list