Make WordPress Core

Changes between Initial Version and Version 2 of Ticket #50867


Ignore:
Timestamp:
08/06/2020 08:37:59 AM (4 years ago)
Author:
noisysocks
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #50867

    • Property Summary changed from An API for assembling large bits of HTML to An API which encourages automatic escaping of HTML
  • Ticket #50867 – Description

    initial v2  
    11It's common in WordPress to write PHP code that assembles a large bit of HTML using conditional logic. A good example of this is [https://github.com/WordPress/gutenberg/blob/master/packages/block-library/src/navigation-link/index.php#L106 render_block_core_navigation_link]. Unfortunately this type of code can become difficult to read and error prone. For example, we've had several reported XSS vulnerabilities in code like this.
    22
    3 How do we feel about adding an API for building large bits of HTML?
     3How do we feel about adding an API for **safely** building large bits of HTML?
    44
    55Attached is a patch which implements an API inspired by `createElement` in `@wordpress/element` and the external `classnames` JavaScript library.
     
    3939}}}
    4040
    41 The key design detail is that **all strings are automatically escaped**. If you want to output unescaped HTML you have to do it explicitly.
     41**The key design detail is that all strings are automatically escaped**. If you want to output unescaped HTML you have to do it explicitly.
    4242
    4343{{{#!php
     
    8484}}}
    8585
    86 Thoughts? Are there alternative approaches common in the PHP ecosystem? Does such an API belong in Core?
     86Thoughts? Are there alternative approaches common in the PHP ecosystem? Does such an API belong in Core? What other approaches can we take to prevent unescaped strings from being output?