Escape taxonomy labels in tags meta box

[niallkennedy]

While browsing the code for the tags post meta box I noticed many values were echoed without escaping. Taxonomy [labels ​http://core.trac.wordpress.org/browser/tags/3.3/wp-includes/taxonomy.php#L14 from wp-includes/taxonomy.php] or elsewhere may have passed through gettext and contain escapable characters in the returned string.

Before: echo $taxonomy->labels->add_new_item

After: echo esc_html( $taxonomy->labels->add_new_item )

While I was in there I also assigned the assign_terms capability test into a single variable compared three times instead of calling the capabilities function three times. Performance benefit, slightly cleaner.

The ​disabled attribute is a ​boolean attribute in HTML5; changed that string as well. The variable is only used once and could be a good candidate for a ​ternary operator based on WP coding standards but the assigned string change is a cleaner patch compare.

[niallkennedy]

escape taxonomy labels; assign capability test; HTML5 boolean disabled attr

[ocean90]

See the helper function disabled().

[niallkennedy]

Replying to ocean90:

See the helper function disabled().

WP Admin is now HTML5 and meta box is part of admin, making it easy to determine if the use of a boolean attribute is appropriate. The disabled() function in wp-includes/general-template.php could possibly be called from a theme or plugin and output to an XHTML page. I don't think it makes sense to change the __checked_selected_helper() function for its boolean attributes (checked, selected, disabled) since the output context is unknown.

[ocean90]

We are using these functions all over the admin place. I don't see the point, why you want to use here the HTML5 type.

Using the functions makes the code more pretty and if it's time where HTML5 rocks the world we only need to change the functions.

[niallkennedy]

disabled() version. replace string assignment and echo with function call for capability test

[nacin]

Why should these be escaped? These are strings set by plugins and/or then translated. Post type and taxonomy labels should be considered safe. They are not found in attributes and therefore do not need esc_attr(), which is the only real concern for translated strings.

[SergeyBiryukov]

I've created #23194 for replacing 'disabled="disabled"' with disabled() and removing the esc_attr() call on separate_items_with_commas label, which seems erroneous.

Closing as wontfix, per comment:5.