[wp-trac] [WordPress Trac] #50867: An API which encourages automatic escaping of HTML
WordPress Trac
noreply at wordpress.org
Wed Jan 17 00:49:09 UTC 2024
#50867: An API which encourages automatic escaping of HTML
-------------------------------------------------+-------------------------
Reporter: noisysocks | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-unit-tests needs- | Focuses:
docs dev-feedback 2nd-opinion |
-------------------------------------------------+-------------------------
Comment (by dmsnell):
I've created a new proposal based on the HTML API whose only purpose is to
create a new tag. Although I will add illustrative tests soon, my day is
over and I need to sign off for now, but I wanted to share this.
Originally I had hoped that we could get a much more valuable HTML
templating system into 6.5, but over the past week I've realized that's a
bit too rushed.
With `WP_HTML::tag()` it's possible to create safe HTML. It doesn't
support nested tags at the moment, as I think that opens some of the more
complicated design questions that templating does. Still, when the time
comes, I think we'll find that we have to wrap any inner tags in a class
to ensure that we don't invite unsafe string operations that could break
the output; that class would be a call to `WP_HTML::tag()` or some
variant, meaning the _only_ user- or develop-input we allow ends up as an
encoded string _or_ the result of calling `WP_HTML::tag()` with encoded
strings.
This is different than general purpose templating and it won't be usable
everywhere, but already it provides a helpful utility with additional
conveniences over current HTML-generating PHP code. For instance, it's
possible to pass attribute values as `true` for a boolean attribute or
`false` to ensure no attribute of the given name appears in the markup.
{{{#!php
<?php
echo WP_HTML::tag( 'div', array( 'class' => 'is-safe' ), 'Hello, world!'
);
// <div class="is-safe">Hello, world!</div>
echo WP_HTML::tag( 'input', array( 'type' => '"></script>', 'disabled' =>
true ), 'Is this > that?' );
// <input type=""></script>" disabled>
echo WP_HTML::tag( 'p', null, 'Is this > that?' );
// <p>Is this > that?</p>
echo WP_HTML::tag( 'wp-emoji', array( 'name' => ':smile:' ), null, 'self-
closing' );
// <wp-emoji name=":smile:" />
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50867#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list