Changeset 61084 for trunk/src/wp-includes/class-wp-styles.php

Timestamp:

10/28/2025 09:35:53 PM (6 weeks ago)

Author:

SergeyBiryukov

Message:

Script Loader: Consistently escape the style handle in WP_Styles::do_item().

Includes moving most of the escaping as late as possible when the <link> tag is being constructed.

Follow-up to [29956], [36550], [43564], [46164].

Props georgestephanis, westonruter, azaozz, jonsurrell, XecurAbhijeet, SergeyBiryukov.
See #30036.

File:

• trunk/src/wp-includes/class-wp-styles.php (modified) (3 diffs)

trunk/src/wp-includes/class-wp-styles.php

@@ -195 +195 @@
 
         if ( isset( $obj->args ) ) {
-            $media = esc_attr( $obj->args );
+            $media = $obj->args;
         } else {
             $media = 'all';
@@ -219 +219 @@
 
         $rel   = isset( $obj->extra['alt'] ) && $obj->extra['alt'] ? 'alternate stylesheet' : 'stylesheet';
-        $title = isset( $obj->extra['title'] ) ? sprintf( " title='%s'", esc_attr( $obj->extra['title'] ) ) : '';
+        $title = isset( $obj->extra['title'] ) ? $obj->extra['title'] : '';
 
         $tag = sprintf(
             "<link rel='%s' id='%s-css'%s href='%s'%s media='%s' />\n",
             $rel,
-            $handle,
-            $title,
+            esc_attr( $handle ),
+            $title ? sprintf( " title='%s'", esc_attr( $title ) ) : '',
             $href,
             $this->type_attr,
-            $media
+            esc_attr( $media )
         );
 
@@ -256 +256 @@
                 "<link rel='%s' id='%s-rtl-css'%s href='%s'%s media='%s' />\n",
                 $rel,
-                $handle,
-                $title,
+                esc_attr( $handle ),
+                $title ? sprintf( " title='%s'", esc_attr( $title ) ) : '',
                 $rtl_href,
                 $this->type_attr,
-                $media
+                esc_attr( $media )
             );