Make WordPress Core

Opened 11 days ago

Last modified 11 days ago

#46188 new enhancement

esc_html does not have support for multiline output. esc_br_html or line-breaking parameter for esc_html is missing

Reported by: KestutisIT Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.0.3
Component: Formatting Keywords: needs-patch
Focuses: template Cc:


Let's say that we want to save not a title, but a block of text in the database. So we have to support multiline escaping.

Now I have to do this:

$escapedMultilineItemDescriptionArray = array_map('esc_html', explode("\n", $data['item_description']));
$printItemDescription = implode("\n", $escapedMultilineItemDescriptionArray );

$objView = new View();
$objView->itemDescription = $printItemDescription;

But then the reviewers at Envato and other coding standards fans are not happy that at the template file I use:

<div class="item-description"><?=nl2br($itemDescription);?></div>

While following the concept of of 'escaping at the template' would could be instead 'esc_br_html':

<div class="item-description"><?=esc_br_html($itemDescription);?></div>

or with fuction esc_html($text, $escapeLineBreaks = FALSE) {...}

<div class="item-description"><?=nl2br(esc_html($itemDescription, TRUE));?></div>

I just see a lot of confusion and misinterpreation of escaping of text that has multiple lines, and there is NO function. And we should not do explode, implode, array_map things inside the template code, as the template is for designers, and ever CSS developer has to be able easily understand the template, so there so be no explodings, implodings.

Change History (2)

#1 follow-up: @swissspidy
11 days ago

  • Focuses coding-standards removed

What about using esc_textarea() or hooking into the esc_html filter instead?

#2 in reply to: ↑ 1 @KestutisIT
11 days ago

Replying to swissspidy:

What about using esc_textarea() or hooking into the esc_html filter instead?

I'm not sure if filter-hook is good decision. As this has to be global for all plugin developers, meaning a standard defined in coding standards.

What I did, is that I created a 'fake' formating.php file in my plugin folder to replicate the missing lines of code in \wp-includes\formatting.php:

PATCH could be the following for the \wp-includes\formatting.php file:


     * Escape with line-breaks
     * Related ticked - https://core.trac.wordpress.org/ticket/46188
     * @param string $text
     * @return string
    function esc_br_html($text)
        $escaped_text_array = array_map('esc_html', explode("\n", $text));
        $escaped_multiline_text = implode("<br />", $escaped_text_array);

        return $escaped_multiline_text;

Regarding the esc_textarea - that would be a BAD decision, as it impacts all the other chars, it is dedicated to use inside <textarea> HTML tag, and probably esc_textarea does not escapes single quotes. I mean the same title with just the need of span in via multiple lines is so much common case that I saw it over 1000 times in recent years, but only now everybody is bumping so much to the standards, so we need to finally make a solution for everybody, so I believe we need to add one more function to \wp-includes\formatting.php or to add an additional parameter support to esc_html.

Last edited 11 days ago by KestutisIT (previous) (diff)
Note: See TracTickets for help on using tickets.