WordPress.org
Get WordPress

Make WordPress Core

Changes between Initial Version and Version 2 of Ticket #62787


Ignore:
Timestamp:
01/08/2025 04:32:37 PM (3 months ago)
Author:
sabernhardt
Comment:
  1. The default output of twentynineteen_custom_colors_css() is CSS only, but that is filterable.
  2. At least two plugins use the filter.
  3. To remove any added HTML entirely, consider wp_strip_all_tags() instead of esc_html(). Note that either function could affect a tag name within a CSS comment (esc_html would be better for that unlikely possibility).
  4. twentynineteen_custom_colors_css() outputs code in two places. If the 'custom-theme-colors' styles escape or remove HTML tags, then the inline style for 'twentynineteen-editor-customizer-styles' probably should use the same function.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #62787

    • Property Focuses coding-standards added; php-compatibility removed
    • Property Component changed from Themes to Bundled Theme
    • Property Summary changed from Twenty Nineteen : PHPCS Fixes to Twenty Nineteen: sanitize output of twentynineteen_custom_colors_css()

  • Ticket #62787 – Description

    initial v2  
    1 In theme Twenty Nineteen , I can see one PHPCS Warning in function.php file i.e.
     1In theme Twenty Nineteen , I can see one PHPCS Warning in `functions.php` file i.e.
    22All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'twentynineteen_custom_colors_css'
    33