Changes between Initial Version and Version 2 of Ticket #50867
- Timestamp:
- 08/06/2020 08:37:59 AM (4 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #50867
-
Property
Summary
changed from
An API for assembling large bits of HTML
toAn API which encourages automatic escaping of HTML
-
Property
Summary
changed from
-
Ticket #50867 – Description
initial v2 1 1 It's common in WordPress to write PHP code that assembles a large bit of HTML using conditional logic. A good example of this is [https://github.com/WordPress/gutenberg/blob/master/packages/block-library/src/navigation-link/index.php#L106 render_block_core_navigation_link]. Unfortunately this type of code can become difficult to read and error prone. For example, we've had several reported XSS vulnerabilities in code like this. 2 2 3 How do we feel about adding an API for building large bits of HTML?3 How do we feel about adding an API for **safely** building large bits of HTML? 4 4 5 5 Attached is a patch which implements an API inspired by `createElement` in `@wordpress/element` and the external `classnames` JavaScript library. … … 39 39 }}} 40 40 41 The key design detail is that **all strings are automatically escaped**. If you want to output unescaped HTML you have to do it explicitly.41 **The key design detail is that all strings are automatically escaped**. If you want to output unescaped HTML you have to do it explicitly. 42 42 43 43 {{{#!php … … 84 84 }}} 85 85 86 Thoughts? Are there alternative approaches common in the PHP ecosystem? Does such an API belong in Core? 86 Thoughts? Are there alternative approaches common in the PHP ecosystem? Does such an API belong in Core? What other approaches can we take to prevent unescaped strings from being output?