Make WordPress Core


Ignore:
Timestamp:
09/20/2023 09:45:51 AM (5 months ago)
Author:
SergeyBiryukov
Message:

Coding Standards: Escape the whole attribute in wp-admin/export.php.

It is best to always escape the complete value of an attribute, not a partial value, as otherwise the escaping could be (partially) undone when the values are joined together.

While the hardcoded hyphen in this case don't necessarily create that risk, it may change to a value which could be problematic, so making it a habit to escape the value in one go is best practice.

Escaping the complete value also means that a single esc_attr() call can be used instead of two.

Follow-up to [14444], [16652], [55616], [56632].

See #58831.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/export.php

    r56632 r56633  
    161161
    162162        $month = zeroise( $date->month, 2 );
    163         echo '<option value="' . esc_attr( $date->year ) . '-' . esc_attr( $month ) . '">' . $wp_locale->get_month( $month ) . ' ' . $date->year . '</option>';
     163
     164        printf(
     165            '<option value="%1$s">%2$s</option>',
     166            esc_attr( $date->year . '-' . $month ),
     167            $wp_locale->get_month( $month ) . ' ' . $date->year
     168        );
    164169    }
    165170}
Note: See TracChangeset for help on using the changeset viewer.