Opened 17 months ago

Closed 4 months ago

#19712 closed enhancement (wontfix)

Escape taxonomy labels in tags meta box

Reported by: niallkennedy Owned by:
Priority: normal Milestone:
Component: Editor Version:
Severity: minor Keywords: has-patch
Cc:

Description

While browsing the code for the tags post meta box I noticed many values were echoed without escaping. Taxonomy [labels http://core.trac.wordpress.org/browser/tags/3.3/wp-includes/taxonomy.php#L14 from wp-includes/taxonomy.php] or elsewhere may have passed through gettext and contain escapable characters in the returned string.

Before: echo $taxonomy->labels->add_new_item

After: echo esc_html( $taxonomy->labels->add_new_item )

While I was in there I also assigned the assign_terms capability test into a single variable compared three times instead of calling the capabilities function three times. Performance benefit, slightly cleaner.

The disabled attribute is a boolean attribute in HTML5; changed that string as well. The variable is only used once and could be a good candidate for a ternary operator based on WP coding standards but the assigned string change is a cleaner patch compare.

Attachments (2)

meta-boxes.diff (3.3 KB) - added by niallkennedy 17 months ago.
escape taxonomy labels; assign capability test; HTML5 boolean disabled attr
meta-boxes.2.diff (3.3 KB) - added by niallkennedy 17 months ago.
disabled() version. replace string assignment and echo with function call for capability test

Download all attachments as: .zip

Change History (8)

niallkennedy17 months ago

escape taxonomy labels; assign capability test; HTML5 boolean disabled attr

comment:1 follow-up: ↓ 2   ocean9017 months ago

See the helper function disabled().

comment:2 in reply to: ↑ 1   niallkennedy17 months ago

Replying to ocean90:

See the helper function disabled().

WP Admin is now HTML5 and meta box is part of admin, making it easy to determine if the use of a boolean attribute is appropriate. The disabled() function in wp-includes/general-template.php could possibly be called from a theme or plugin and output to an XHTML page. I don't think it makes sense to change the __checked_selected_helper() function for its boolean attributes (checked, selected, disabled) since the output context is unknown.

comment:3   ocean9017 months ago

We are using these functions all over the admin place. I don't see the point, why you want to use here the HTML5 type.

Using the functions makes the code more pretty and if it's time where HTML5 rocks the world we only need to change the functions.

niallkennedy17 months ago

disabled() version. replace string assignment and echo with function call for capability test

comment:4   SergeyBiryukov17 months ago

  • Milestone changed from Awaiting Review to 3.4

comment:5   nacin14 months ago

  • Keywords close added
  • Milestone changed from 3.4 to Awaiting Review

Why should these be escaped? These are strings set by plugins and/or then translated. Post type and taxonomy labels should be considered safe. They are not found in attributes and therefore do not need esc_attr(), which is the only real concern for translated strings.

comment:6   SergeyBiryukov4 months ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I've created #23194 for replacing 'disabled="disabled"' with disabled() and removing the esc_attr() call on separate_items_with_commas label, which seems erroneous.

Closing as wontfix, per comment:5.

Note: See TracTickets for help on using tickets.