Unescaped echo in wp-includes/general-template.php

[sabbirshouvo]

In wp-includes/general-template.php -> wp_login_form() there are unescaped value for form name & id that should be properly escaped with esc_attr()

[mukesh27]

Hi there, thanks for the ticket and patch!

The patch looks good to me just one thought, For below three variable we used two times esc_attr can we assign escape value in single variable and pass it?

esc_attr( $args['form_id'] )
esc_attr( $args['id_username'] )
esc_attr( $args['id_password'] )

Moving to milestone 5.9.

[sabbirshouvo]

@mukesh27 sure it's possible. I'm looking into the codes and will make necessary adjustment to the patch.

[sabbirshouvo]

move multiple variables to reusable single variable

[mukesh27]

Thanks for the updated patch. Let's wait to other dev comment.

[audrasjb]

According to WordPress Coding Standards, the rule here is to escape late, so better not using those variables.

[henry.wright]

I prefer the 54279.diff patch to 54279.3.diff. It escapes late like @audrasjb suggested.

[audrasjb]

Adding commit keyword for 54279.diff which is the best option according to WordPress Coding Standards.

[SergeyBiryukov]

In 51926:

Coding Standards: Improve escaping in wp_login_form().

• Split long concatenated lines using sprintf(). This aims to improve readability and avoid multiple esc_attr() calls for the same value.
• Escape the form name and id attributes.

Follow-up to [12696], [18444], [19033].

Props sabbirshouvo, mukesh27, audrasjb, henry.wright, SergeyBiryukov.
Fixes #54279.