[wp-trac] [WordPress Trac] #58251: Escaping issue found while echoing attribute's dynamic value in html attribute.
WordPress Trac
noreply at wordpress.org
Wed Jul 12 07:20:08 UTC 2023
#58251: Escaping issue found while echoing attribute's dynamic value in html
attribute.
-----------------------------+-------------------------------
Reporter: madhusudandev | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.3
Component: Toolbar | Version:
Severity: normal | Resolution:
Keywords: has-patch close | Focuses: coding-standards
-----------------------------+-------------------------------
Comment (by gaambo):
Just wanted to add, that we've gotten feedback form the plugin review team
for one of our plugins, that **every variable** (even with hardcoded
contents) should be escaped. Here's the quote:
At this time, we ask you escape all $-variables, options, and any sort
of generated data when it is being echoed. That means you should not be
escaping when you build a variable, but when you output it at the end. We
call this 'escaping late.'
Besides protecting yourself from a possible XSS vulnerability, escaping
late makes sure that you're keeping the future you safe. While today your
code may be only outputted hardcoded content, that may not be true in the
future. By taking the time to properly escape when you echo, you prevent a
mistake in the future from becoming a critical security issue.
I think the same rules should apply to core as well as plugins.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58251#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list