Twenty Eleven: Add escaping as per the WordPress VIP standards

[himshekhar07]

In the Twenty Eleven theme folder, the file named search.php has improper escaping on line number 21 as per the VIP standard.

Issue screenshot:
​https://share.cleanshot.com/3rPjnj33GHPcFfyL0rKh

The present line of code

printf( __( 'Search Results for: %s', 'twentyeleven' ), '<span>' . get_search_query() . '</span>' );

Improve line of code:

printf( esc_html__( 'Search Results for: %s', 'twentyeleven' ), '<span>' . esc_html( get_search_query() ) . '</span>' );

[SergeyBiryukov]

Hi there, welcome back to WordPress Trac! Thanks for the patch.

Please note that WordPress core does not use the ​WordPress VIP standards, they are specific to Automattic projects.

Previously, the point of view here was that core translations (including bundled themes) are considered safe because we have a review process for them, see #42639 and the discussion in #30724. (Also related: #32233.)

In WordPress core and older bundled themes, strings are generally only escaped in attributes or in <option> tags.

Some other related tickets: #47384, #47385, #49535, #49536, #49537, #54127, #56110, #57133.

This was recently reconsidered for the Twenty Twenty-One theme, see the discussion in ​#core-themes on Slack.

As the purpose of bundled themes is to demonstrate best practices, they should use proper escaping so that the code copied from or based on these themes also uses correct escaping. This has been addressed for Twenty Twenty-One and will be addressed for newer bundled themes going forward.

For updating the escaping in older themes though, there is no consensus yet, see the ​second part of the discussion. This should probably be discussed with the Themes team. Personally, I think either way is fine. As these themes are periodically updated for better block editor support, I guess we could address the escaping as well, but it should ideally be done in a consistent way rather than just in a few random occurrences.