[wp-trac] [WordPress Trac] #62738: Proposal for format_atts()
WordPress Trac
noreply at wordpress.org
Thu Dec 26 11:22:01 UTC 2024
#62738: Proposal for format_atts()
--------------------------+------------------------------
Reporter: takayukister | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by swissspidy):
> Another reason for me to suggest this is that the
[https://wordpress.org/plugins/plugin-check/ Plugin Check plugin] detects
errors of `WordPress.Security.EscapeOutput.OutputNotEscaped` despite the
fact that attribute values are properly escaped with `esc_attr()`. If this
function becomes WordPress standard and the PCP recognizes that, I and
other developers who use similar formatting function will be able to avoid
the false-positive error.
FWIW, `OutputNotEscaped` is part of the [https://github.com/WordPress
/WordPress-Coding-Standards WordPress Coding Standards] project, so it's
not unique to PCP. A static analysis tool just sees that you're using
`echo` with some arbitrary string. It can't know whether the full string
is safe or not, hence the warning.
So it's not really a false positive that can be fixed. It's one of these
instances where, if you know what you are doing, you can ignore the PHPCS
warning.
Even if PHPCS would know about this new function, doing something like
`echo sprintf( '<input %s />', ... )` would still give you an
`OutputNotEscaped` warning because of the `echo`.
So whether you use your own `wpcf7_format_atts()` function or a core-
provided `format_atts()` function, this would not change.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62738#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list