Add missing esc_html()

[nareshbheda]

Add missing escaping in wp-includes/class-wp-customize-control.php.

[shailu25]

There is another instance of this on Line 80 in wp-includes/customize/class-wp-customize-nav-menu-location-control.php

echo '<option value="' . esc_attr( $value ) . '"' . selected( $this->value(), $value, false ) . '>' . $label . '</option>';

It should be

echo '<option value="' . esc_attr( $value ) . '"' . selected( $this->value(), $value, false ) . '>' . esc_html( $label ) . '</option>';

[sabernhardt]

Good catches!

• [20295] added WP_Customize_Control without escaping $label for the option element, though the changeset escaped the text used for the input labels.
• [32806] added WP_Customize_Nav_Menu_Location_Control.

I also found similar <option elements for bulk actions in WP_List_Table, but should this ticket remain focused on the Customizer classes instead of searching wp-admin too?

[audrasjb]

Given similar instances are escaped, these one should be escaped too, at least for better consistency.

Adding changes-requested to take into account comment:3.

I also found similar <option elements for bulk actions in WP_List_Table, but should this ticket remain focused on the Customizer classes instead of searching wp-admin too?

Yeah I think that's another ticket :)

[audrasjb]

Alright let's commit this (I'll make the change to the other file directly).

[audrasjb]

In 57369:

Coding Standards: Add missing escaping functions to WP_Customize_Control and WP_Customize_Nav_Menu_Location_Control.

Follow-up to [20295], [32806].

Props nareshbheda, shailu25, sabernhardt, audrasjb.
Fixes #60324.

[shailu25]

Updated Patch.