Make WordPress Core

Opened 6 weeks ago

Last modified 6 weeks ago

#58127 new enhancement

Twenty Eleven: Add escaping as per the WordPress VIP standards

Reported by: himshekhar07's profile himshekhar07 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Bundled Theme Keywords: needs-patch 2nd-opinion
Focuses: Cc:

Description

In the Twenty Eleven theme folder, the file named search.php has improper escaping on line number 21 as per the VIP standard.

Issue screenshot:
https://share.cleanshot.com/3rPjnj33GHPcFfyL0rKh

The present line of code

printf( __( 'Search Results for: %s', 'twentyeleven' ), '<span>' . get_search_query() . '</span>' );

Improve line of code:

printf( esc_html__( 'Search Results for: %s', 'twentyeleven' ), '<span>' . esc_html( get_search_query() ) . '</span>' );

Change History (1)

#1 @SergeyBiryukov
6 weeks ago

  • Component changed from Themes to Bundled Theme
  • Keywords 2nd-opinion added
  • Summary changed from Improper code to Twenty Eleven: Add escaping as per the WordPress VIP standards

Hi there, welcome back to WordPress Trac! Thanks for the patch.

Please note that WordPress core does not use the WordPress VIP standards, they are specific to Automattic projects.

Previously, the point of view here was that core translations (including bundled themes) are considered safe because we have a review process for them, see #42639 and the discussion in #30724. (Also related: #32233.)

In WordPress core and older bundled themes, strings are generally only escaped in attributes or in <option> tags.

Some other related tickets: #47384, #47385, #49535, #49536, #49537, #54127, #56110, #57133.

This was recently reconsidered for the Twenty Twenty-One theme, see the discussion in #core-themes on Slack.

As the purpose of bundled themes is to demonstrate best practices, they should use proper escaping so that the code copied from or based on these themes also uses correct escaping. This has been addressed for Twenty Twenty-One and will be addressed for newer bundled themes going forward.

For updating the escaping in older themes though, there is no consensus yet, see the second part of the discussion. This should probably be discussed with the Themes team. Personally, I think either way is fine. As these themes are periodically updated for better block editor support, I guess we could address the escaping as well, but it should ideally be done in a consistent way rather than just in a few random occurrences.

Note: See TracTickets for help on using tickets.