Opened 16 months ago

Last modified 15 months ago

#20009 new defect (bug)

Escape later when getting post and body classes

Reported by: mfields Owned by:
Priority: normal Milestone: Awaiting Review
Component: Themes Version:
Severity: normal Keywords: has-patch dev-feedback
Cc:

Description

Both get_body_class() and get_post_class() provide filters that allow plugins and themes to add custom values to the list. These filters are applied after the values in the $classes array have been filtered through esc_attr(). I think that it would be best to move the escaping after the filter has fired.

esc_attr() was first added to get_body_class() and get_post_class() in [11838]

Attachments (2)

20009.diff (789 bytes) - added by mfields 16 months ago.
20009.2.diff (820 bytes) - added by mfields 16 months ago.
Escape even later.

Download all attachments as: .zip

Change History (7)

mfields16 months ago

comment:1   ocean9016 months ago

Makes sense.

mfields16 months ago

Escape even later.

comment:2   mfields16 months ago

Looking at this again, it may be better to escape directly in body_class() and post_class() as shown in 20009.2.diff

comment:3   scribu16 months ago

Moving the escaping into body_class() isn't so good, because theme authors might use get_body_class() directly, without bothering to escape it's output. So 20009.diff looks good to me.

comment:4   mfields15 months ago

@scribu - Thanks for the input here. Both solutions make sense to me for different reasons. I agree that 20009.diff is the better of the two.

comment:5   azaozz15 months ago

What exactly are we escaping here? Values added by plugins? Don't think escaping is really needed on class names added from trusted source, keep in mind that the HTML class attribute allows the whole UTF-8 charset to be used with very little restrictions.

Note: See TracTickets for help on using tickets.