Opened 3 years ago
Last modified 3 years ago
#43010 new enhancement
Attribute Name Escape
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Formatting | Keywords: | has-patch needs-testing |
| Focuses: | Cc: |
Description
The HTML5 spec allows us to arbitrarily named attributes for tags, e.g. data-my-arb-attr-name="attr value". This allows for generated attribute names and thus, a need to escape to avoid potential security implications.
I have seen several occasions of developers using esc_attr to resolve this case, however this is far from correct - the requirements of the name of an attribute are very different to that of the value, the best example of this simply being whitespace.
The requirements of an attribute name can be found here: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
There is a need for an esc_attr_name function to avoid compromises in html.
I have provided a simple addition patch to wp-includes/formatting.php which should resolve this issue.
Attachments (2)
Change History (8)
#3
@
3 years ago
- Component changed from Formatting to General
- Focuses template coding-standards removed
#4
@
3 years ago
- Keywords needs-testing added; needs-unit-tests removed
@swissspidy Cheers for having a look. For future reference, why would this be a General component and not Formatting?
Unit test