Opened 8 months ago
Last modified 6 months ago
#58127 new enhancement
Twenty Eleven: Add escaping as per the WordPress VIP standards
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Bundled Theme | Keywords: | needs-patch 2nd-opinion |
Focuses: | Cc: |
Description
In the Twenty Eleven theme folder, the file named search.php has improper escaping on line number 21 as per the VIP standard.
Issue screenshot:
https://share.cleanshot.com/3rPjnj33GHPcFfyL0rKh
The present line of code
printf( __( 'Search Results for: %s', 'twentyeleven' ), '<span>' . get_search_query() . '</span>' );
Improve line of code:
printf( esc_html__( 'Search Results for: %s', 'twentyeleven' ), '<span>' . esc_html( get_search_query() ) . '</span>' );
Change History (2)
#1
@
8 months ago
- Component changed from Themes to Bundled Theme
- Keywords 2nd-opinion added
- Summary changed from Improper code to Twenty Eleven: Add escaping as per the WordPress VIP standards
#2
@
6 months ago
I do not recommend escaping translatable strings on this ticket, and it likely is not worth doing if themes such as Twenty Eleven might be retired soon.
However, the search query escaping is inconsistent.
- Twenty Twenty's
$archive_title
runs throughwp_kses_post()
inindex.php
:$archive_title = sprintf( '%1$s %2$s', '<span class="color-accent">' . __( 'Search:', 'twentytwenty' ) . '</span>', '“' . get_search_query() . '”' );
- Twenty Sixteen and Twenty Twenty-One have
esc_html()
inside aspan
:// Twenty Sixteen search.php printf( __( 'Search Results for: %s', 'twentysixteen' ), '<span>' . esc_html( get_search_query() ) . '</span>' ); // Twenty Twenty-One search.php and template-parts\content\content-none.php '<span class="page-description search-term">' . esc_html( get_search_query() ) . '</span>'
- Some
search.php
templates do not escape within thespan
:// pattern in Twenty Ten, Twenty Eleven, Twenty Twelve and Twenty Seventeen printf( __( 'Search Results for: %s', 'twentyseventeen' ), '<span>' . get_search_query() . '</span>' ); // Twenty Nineteen search.php <span class="page-description"><?php echo get_search_query(); ?></span>
- Other
search.php
templates do not escape inside theh1
(without aspan
):// pattern for Twenty Thirteen, Twenty Fourteen and Twenty Fifteen: printf( __( 'Search Results for: %s', 'twentyfifteen' ), get_search_query() );
- The function output is not escaped inside value attributes (which may be unnecessary).
// Twenty Sixteen searchform.php <input type="search" class="search-field" placeholder="<?php echo esc_attr_x( 'Search …', 'placeholder', 'twentysixteen' ); ?>" value="<?php echo get_search_query(); ?>" name="s" /> // Twenty Seventeen searchform.php <input type="search" id="<?php echo $unique_id; ?>" class="search-field" placeholder="<?php echo esc_attr_x( 'Search …', 'placeholder', 'twentyseventeen' ); ?>" value="<?php echo get_search_query(); ?>" name="s" /> // Twenty Twenty searchform.php <input type="search" id="<?php echo esc_attr( $twentytwenty_unique_id ); ?>" class="search-field" placeholder="<?php echo esc_attr_x( 'Search …', 'placeholder', 'twentytwenty' ); ?>" value="<?php echo get_search_query(); ?>" name="s" /> // Twenty Twenty-One searchform.php <input type="search" id="<?php echo esc_attr( $twentytwentyone_unique_id ); ?>" class="search-field" value="<?php echo get_search_query(); ?>" name="s" />
Note: See
TracTickets for help on using
tickets.
Hi there, welcome back to WordPress Trac! Thanks for the patch.
Please note that WordPress core does not use the WordPress VIP standards, they are specific to Automattic projects.
Previously, the point of view here was that core translations (including bundled themes) are considered safe because we have a review process for them, see #42639 and the discussion in #30724. (Also related: #32233.)
In WordPress core and older bundled themes, strings are generally only escaped in attributes or in
<option>
tags.Some other related tickets: #47384, #47385, #49535, #49536, #49537, #54127, #56110, #57133.
This was recently reconsidered for the Twenty Twenty-One theme, see the discussion in #core-themes on Slack.
As the purpose of bundled themes is to demonstrate best practices, they should use proper escaping so that the code copied from or based on these themes also uses correct escaping. This has been addressed for Twenty Twenty-One and will be addressed for newer bundled themes going forward.
For updating the escaping in older themes though, there is no consensus yet, see the second part of the discussion. This should probably be discussed with the Themes team. Personally, I think either way is fine. As these themes are periodically updated for better block editor support, I guess we could address the escaping as well, but it should ideally be done in a consistent way rather than just in a few random occurrences.