WordPress.org
Get WordPress

Make WordPress Core

Opened 5 years ago

Last modified 17 months ago

#43010 new enhancement

Attribute Name Escape

Reported by: joe_bopper's profile joe_bopper Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Formatting Keywords: needs-testing needs-patch needs-unit-tests
Focuses: Cc:

Description

The HTML5 spec allows us to arbitrarily named attributes for tags, e.g. data-my-arb-attr-name="attr value". This allows for generated attribute names and thus, a need to escape to avoid potential security implications.

I have seen several occasions of developers using esc_attr to resolve this case, however this is far from correct - the requirements of the name of an attribute are very different to that of the value, the best example of this simply being whitespace.

The requirements of an attribute name can be found here: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2

There is a need for an esc_attr_name function to avoid compromises in html.

I have provided a simple addition patch to wp-includes/formatting.php which should resolve this issue.

Attachments (2)

esc-attr-name.diff (1.1 KB) - added by joe_bopper 5 years ago.
EscAttrName.php (974 bytes) - added by joe_bopper 5 years ago.
Unit test

Download all attachments as: .zip

Change History (12)

@joe_bopper
5 years ago

#1 @joe_bopper
5 years ago

  • Keywords has-patch needs-unit-tests added

#2 @joe_bopper
5 years ago

  • Focuses template coding-standards added

#3 @swissspidy
5 years ago

  • Component changed from Formatting to General
  • Focuses template coding-standards removed

@joe_bopper
5 years ago

Unit test

#4 @joe_bopper
5 years ago

  • Keywords needs-testing added; needs-unit-tests removed

@swissspidy Cheers for having a look. For future reference, why would this be a General component and not Formatting?

#5 @swissspidy
5 years ago

  • Component changed from General to Formatting

Whoops, guess I've changed the component by accident. Formatting is correct. Sorry about the confusion :-) And thanks for the tests!

#6 @joe_bopper
5 years ago

No problem. :)

#7 @sc0ttkclark
17 months ago

Finding myself needing this as I dive into building form fields for WP again. Maybe we can get an eye on this for after WP 5.9 goes out. I'll try and return and get a PR w/ test set up for this to see if helps it progress forward.

#8 @sc0ttkclark
17 months ago

Should this function use dash or underscore? Right now it's using underscore and it feels like dash may be more consistent with the data-* standard.

I also was doing some checking and there are multiple areas in WP core which output attribute names without any escaping.

You can find a number of cases in the WP core files by searching for: . '="'

You'll find lots of usage like this:

$attr_strings[] = $k . '="' . esc_attr( $v ) . '"';

#9 @sc0ttkclark
17 months ago

Should the pattern match be something more like: [^a-zA-Z0-9\-_\[\]]+

This may be more comprehensive to only allow certain character ranges versus just replacing a few characters.

#10 @swissspidy
17 months ago

  • Keywords needs-patch needs-unit-tests added; has-patch removed

Related: wp_kses_one_attr and wp_kses_attr_check also have some logic to sanitize (not escape) attribute names based on the KSES allowlist.

Note: See TracTickets for help on using tickets.