Opened 7 years ago
Last modified 3 years ago
#43010 new enhancement
Attribute Name Escape
Reported by: | joe_bopper | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | needs-testing needs-patch needs-unit-tests |
Focuses: | Cc: |
Description
The HTML5 spec allows us to arbitrarily named attributes for tags, e.g. data-my-arb-attr-name="attr value". This allows for generated attribute names and thus, a need to escape to avoid potential security implications.
I have seen several occasions of developers using esc_attr
to resolve this case, however this is far from correct - the requirements of the name of an attribute are very different to that of the value, the best example of this simply being whitespace.
The requirements of an attribute name can be found here: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
There is a need for an esc_attr_name
function to avoid compromises in html.
I have provided a simple addition patch to wp-includes/formatting.php which should resolve this issue.
Attachments (2)
Change History (12)
#3
@
7 years ago
- Component changed from Formatting to General
- Focuses template coding-standards removed
#4
@
7 years ago
- Keywords needs-testing added; needs-unit-tests removed
@swissspidy Cheers for having a look. For future reference, why would this be a General component and not Formatting?
#5
@
7 years ago
- Component changed from General to Formatting
Whoops, guess I've changed the component by accident. Formatting is correct. Sorry about the confusion :-) And thanks for the tests!
#7
@
3 years ago
Finding myself needing this as I dive into building form fields for WP again. Maybe we can get an eye on this for after WP 5.9 goes out. I'll try and return and get a PR w/ test set up for this to see if helps it progress forward.
#8
@
3 years ago
Should this function use dash or underscore? Right now it's using underscore and it feels like dash may be more consistent with the data-* standard.
I also was doing some checking and there are multiple areas in WP core which output attribute names without any escaping.
You can find a number of cases in the WP core files by searching for: . '="'
You'll find lots of usage like this:
$attr_strings[] = $k . '="' . esc_attr( $v ) . '"';
Unit test