Make WordPress Core


Ignore:
Timestamp:
07/22/2022 11:31:27 AM (2 years ago)
Author:
SergeyBiryukov
Message:

Administration: Correct the escaping in documentation lookup for plugin and theme editor.

This brings consistency to similar code fragments that evolved in slightly different ways over the years:

  • A check that the list of functions is not empty now exists in both editors.
  • "Function Name..." is an option label, not an attribute, so esc_html__() is the correct function here.
  • esc_attr( urlencode( $function ) ) in the theme editor is replaced with esc_attr( $function ).
  • htmlspecialchars( $function ) in the theme editor is replaced with esc_html( $function ).

Follow-up to [10607], [10879], [11110], [11173], [11204], [11671], [14989].

Props aristath, justinahinon, poena, audrasjb, pratiweb, SergeyBiryukov.
Fixes #56007.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/theme-editor.php

    r53186 r53758  
    165165        $functions = wp_doc_link_parse( $content );
    166166
    167         $docs_select  = '<select name="docs-list" id="docs-list">';
    168         $docs_select .= '<option value="">' . esc_attr__( 'Function Name&hellip;' ) . '</option>';
    169         foreach ( $functions as $function ) {
    170             $docs_select .= '<option value="' . esc_attr( urlencode( $function ) ) . '">' . htmlspecialchars( $function ) . '()</option>';
     167        if ( ! empty( $functions ) ) {
     168            $docs_select  = '<select name="docs-list" id="docs-list">';
     169            $docs_select .= '<option value="">' . esc_html__( 'Function Name&hellip;' ) . '</option>';
     170
     171            foreach ( $functions as $function ) {
     172                $docs_select .= '<option value="' . esc_attr( $function ) . '">' . esc_html( $function ) . '()</option>';
     173            }
     174
     175            $docs_select .= '</select>';
    171176        }
    172         $docs_select .= '</select>';
    173177    }
    174178
Note: See TracChangeset for help on using the changeset viewer.