Make WordPress Core

Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#56110 closed defect (bug) (invalid)

Need to use esc_html__ escaping function

Reported by: kartikpatel's profile kartikpatel Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.1
Component: Administration Keywords: has-patch
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Need to use esc_html__ escaping function instead of __ in wp-admin/options-permalink.php file.

Attachments (1)

56110.patch (5.3 KB) - added by kartikpatel 22 months ago.

Download all attachments as: .zip

Change History (7)

@kartikpatel
22 months ago

#1 @SergeyBiryukov
22 months ago

  • Description modified (diff)

#2 follow-up: @SergeyBiryukov
22 months ago

  • Keywords close 2nd-opinion added

Hi there, welcome back to WordPress Trac! Thanks for the ticket and the patch.

Core translations are considered safe because we have a review process for them, see #42639 and the discussion in #30724. (Also related: #32233, #44637.)

In WordPress core and older bundled themes, strings are generally only escaped in attributes or in <option> tags. However, this was recently reconsidered for newer bundled themes, see comment:5:ticket:54127.

Some other related tickets: #47384, #47385, #49535, #49536, #49537.

The $blog_prefix and $prefix values here are hardcoded and not user-editable, so it's not quite clear why they should be escaped.

#3 in reply to: ↑ 2 @desrosj
22 months ago

  • Keywords close 2nd-opinion removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Replying to SergeyBiryukov:

The $blog_prefix and $prefix values here are hardcoded and not user-editable, so it's not quite clear why they should be escaped.

I agree with this assessment, so closing this one out. @kartikpatel if you still feel that esc_html__ should be used here instead and are able provide additional details why, feel free to reopen.

#4 follow-up: @sabernhardt
22 months ago

I agree with keeping the translated string and the prefix variables as they are.

However, I think replacing the six instances of get_option( 'home' ) with a variable that escapes home_url() could improve the code.

$url_base = esc_url( home_url() );

Would that belong on a new ticket?

#5 in reply to: ↑ 4 @SergeyBiryukov
22 months ago

Replying to sabernhardt:

However, I think replacing the six instances of get_option( 'home' ) with a variable that escapes home_url() could improve the code.

Good point! That would remove a few repeated function calls.

Would that belong on a new ticket?

I think a new ticket might be cleaner, as it seems a bit out of scope of the original suggestion. However, as that would touch the same code, we could also repurpose this one. I don't have a strong preference here :)

#6 @sabernhardt
22 months ago

I opened #56235 for the variable. A new ticket should be less confusing than repurposing this one.

Note: See TracTickets for help on using tickets.