Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#30651 closed enhancement (fixed)

Twenty Fifteen: esc_html_e() for "Published by" string in author-bio.php

Reported by: iamtakashi's profile iamtakashi Owned by: iandstewart's profile iandstewart
Milestone: 4.1 Priority: normal
Severity: normal Version: 4.1
Component: Bundled Theme Keywords: has-patch
Focuses: Cc:

Description

Currently _e is used for the string but I believe it's better to use esc_html_e() instead.

Attachments (1)

30651.diff (535 bytes) - added by iamtakashi 10 years ago.

Download all attachments as: .zip

Change History (5)

@iamtakashi
10 years ago

#1 @iandstewart
10 years ago

  • Owner set to iandstewart
  • Resolution set to fixed
  • Status changed from new to closed

In 30805:

Twenty Fifteen: correct escaping.

Props iamtakashi, fixes #30651.

#2 @nacin
10 years ago

_e() is proper here. I'm working on a security audit of Twenty Fifteen so I'll revert this sometime in RC.

#3 @TomasM
10 years ago

Is there anywhere a clear guidance for the theme developers on when to use escaping?

I follow the development of _s and default WP themes to make my themes better and recently in Twenty Fifteen and _s there was escaping promoted. Now, when I applied those changes to my theme I will have to revert :-/

Is there any harm for having escaping in place?

Note: See TracTickets for help on using tickets.