Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#54295 closed enhancement (fixed)

Unnecessarily escaped values in various customizer control in wp-includes/cusstomizer

Reported by: sabbirshouvo's profile sabbirshouvo Owned by:
Milestone: 5.9 Priority: normal
Severity: normal Version:
Component: Customize Keywords: has-patch
Focuses: coding-standards Cc:


In most cases data.description is not needed to escape but escaped in multiple controls. Also in wp-includes/class-wp-customize-control.php some labels and ids are not properly escaped.

Attachments (1)

54295.diff (4.2 KB) - added by sabbirshouvo 3 years ago.

Download all attachments as: .zip

Change History (6)

3 years ago

#1 @SergeyBiryukov
3 years ago

  • Milestone changed from Awaiting Review to 5.9

#2 @SergeyBiryukov
3 years ago

In 51927:

Coding Standards: Escape id attributes in WP_Customize_Control::render_content() and ::print_template().

Follow-up to [30014], [38906].

Props sabbirshouvo.
See #54295.

This ticket was mentioned in Slack in #core by sergey. View the logs.

3 years ago

#4 @hellofromTonya
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

Closing as the patch is committed and will ship in 5.9.

#5 @SergeyBiryukov
3 years ago

Just noting that only the first part of the patch was committed, which adds some missing esc_attr() calls.

I did not touch the (presumably) unnecessarily escaped values, as that required more investigation and I don't see any harm in leaving them as is for now. If anyone thinks that part should be addressed as well, feel free to reopen.

Note: See TracTickets for help on using tickets.