Make WordPress Core


Ignore:
Timestamp:
07/22/2022 11:31:27 AM (21 months ago)
Author:
SergeyBiryukov
Message:

Administration: Correct the escaping in documentation lookup for plugin and theme editor.

This brings consistency to similar code fragments that evolved in slightly different ways over the years:

  • A check that the list of functions is not empty now exists in both editors.
  • "Function Name..." is an option label, not an attribute, so esc_html__() is the correct function here.
  • esc_attr( urlencode( $function ) ) in the theme editor is replaced with esc_attr( $function ).
  • htmlspecialchars( $function ) in the theme editor is replaced with esc_html( $function ).

Follow-up to [10607], [10879], [11110], [11173], [11204], [11671], [14989].

Props aristath, justinahinon, poena, audrasjb, pratiweb, SergeyBiryukov.
Fixes #56007.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/plugin-editor.php

    r53186 r53758  
    168168    if ( ! empty( $functions ) ) {
    169169        $docs_select  = '<select name="docs-list" id="docs-list">';
    170         $docs_select .= '<option value="">' . __( 'Function Name&hellip;' ) . '</option>';
     170        $docs_select .= '<option value="">' . esc_html__( 'Function Name&hellip;' ) . '</option>';
     171
    171172        foreach ( $functions as $function ) {
    172173            $docs_select .= '<option value="' . esc_attr( $function ) . '">' . esc_html( $function ) . '()</option>';
    173174        }
     175
    174176        $docs_select .= '</select>';
    175177    }
Note: See TracChangeset for help on using the changeset viewer.