Make WordPress Core

Opened 22 months ago

Last modified 22 months ago

#43010 new enhancement

Attribute Name Escape

Reported by: joe_bopper Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Formatting Keywords: has-patch needs-testing
Focuses: Cc:
PR Number:


The HTML5 spec allows us to arbitrarily named attributes for tags, e.g. data-my-arb-attr-name="attr value". This allows for generated attribute names and thus, a need to escape to avoid potential security implications.

I have seen several occasions of developers using esc_attr to resolve this case, however this is far from correct - the requirements of the name of an attribute are very different to that of the value, the best example of this simply being whitespace.

The requirements of an attribute name can be found here: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2

There is a need for an esc_attr_name function to avoid compromises in html.

I have provided a simple addition patch to wp-includes/formatting.php which should resolve this issue.

Attachments (2)

esc-attr-name.diff (1.1 KB) - added by joe_bopper 22 months ago.
EscAttrName.php (974 bytes) - added by joe_bopper 22 months ago.
Unit test

Download all attachments as: .zip

Change History (8)

#1 @joe_bopper
22 months ago

  • Keywords has-patch needs-unit-tests added

#2 @joe_bopper
22 months ago

  • Focuses template coding-standards added

#3 @swissspidy
22 months ago

  • Component changed from Formatting to General
  • Focuses template coding-standards removed

22 months ago

Unit test

#4 @joe_bopper
22 months ago

  • Keywords needs-testing added; needs-unit-tests removed

@swissspidy Cheers for having a look. For future reference, why would this be a General component and not Formatting?

#5 @swissspidy
22 months ago

  • Component changed from General to Formatting

Whoops, guess I've changed the component by accident. Formatting is correct. Sorry about the confusion :-) And thanks for the tests!

#6 @joe_bopper
22 months ago

No problem. :)

Note: See TracTickets for help on using tickets.