[wp-trac] [WordPress Trac] #30036: Add some escaping to $handle when printing styles.

[WordPress Trac]

#30036: Add some escaping to $handle when printing styles.
-----------------------------+---------------------
 Reporter:  georgestephanis  |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  6.9
Component:  Script Loader    |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  needs-patch      |     Focuses:
-----------------------------+---------------------
Changes (by westonruter):

 * milestone:   => 6.9


Comment:

 It seems like this was half implemented.

 We're using `esc_attr()` when [https://github.com/WordPress/wordpress-
 develop/blob/c1f2216287d9c097526caa7ecd456891f0c91537/src/wp-includes
 /class-wp-styles.php#L181-L186 printing an inline style]:

 {{{#!php
 <?php
 $inline_style_tag = sprintf(
         "<style id='%s-inline-css'%s>\n%s\n</style>\n",
         esc_attr( $handle ),
         $this->type_attr,
         $inline_style
 );
 }}}

 But not when printing the `LINK` tag:

 {{{#!php
 <?php
 $tag = sprintf(
         "<link rel='%s' id='%s-css'%s href='%s'%s media='%s' />\n",
         $rel,
         $handle,
         $title,
         $href,
         $this->type_attr,
         $media
 );
 }}}

 The `title` attribute is getting escaped previously:

 {{{#!php
 <?php
 $title = isset( $obj->extra['title'] ) ? sprintf( " title='%s'", esc_attr(
 $obj->extra['title'] ) ) : '';
 }}}

 And `$href` is getting escaped because it is obtained by the `_css_href()`
 method which returns the value through `esc_url()`.

 Also, `$media` is getting passed through `esc_attr()` previously.

 All of the escaping should be moved as late as possible when the `LINK`
 tag is being constructed.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/30036#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform