WordPress.org
Get WordPress

Make WordPress Core

Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#62885 closed enhancement (fixed)

Missing dot at the end of the descriptions

Reported by: kapasias's profile kapasias Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.8 Priority: normal
Severity: normal Version: trunk
Component: General Keywords: has-patch
Focuses: docs Cc:

Description

In this file wp-includes/formatting.php
Added missing dots and improve function esc_attr( $text )
unsafe event handler attributes (like onclick, onmouseover, etc.) from HTML elements.

Attachments (1)

62885.diff (3.2 KB) - added by kapasias 3 months ago.

Download all attachments as: .zip

Change History (9)

@kapasias
3 months ago

#1 @kapasias
3 months ago

  • Keywords has-patch added

Example

function custom_message_shortcode() {

	$value1 = 'onmouseover=alert("XSS")';
	$value2 = 'Text with Space';
	$value3 = 'abc = xyz';

    return '<div '.esc_html($value1).' '.esc_attr($value3).' class="custom-message">'.esc_attr($value2).'</div>';

}
add_shortcode('custom_message', 'custom_message_shortcode');

This line of code uses preg_replace() to sanitize a string by removing potentially unsafe event handler attributes (like onclick, onmouseover, etc.) from HTML elements.

This is a security measure to prevent malicious JavaScript from being executed via event handler attributes in user-supplied content. It helps mitigate risks like Cross-Site Scripting (XSS).

Before Update Function : https://prnt.sc/4LfxABLmaM2o

After Update Function : https://prnt.sc/ZYIWFxjYCDnN

so preg_replace( '/\s*on\w+\s*=\s*["\']?.*?["\']?/i', '', $safe_text ); line
sanitized and escaped html

Last edited 3 months ago by sabernhardt (previous) (diff)

#2 @swissspidy
3 months ago

  • Summary changed from Missing dot at the end of the description and improve function to Missing dot at the end of the descriptions

Hi there,

You're really mixing two completely different things in this ticket — docblock improvements and changes to a crucial function.

Also, what you are missing is that esc_attr() is supposed to escape attribute values, not attribute names. So your example is wrong and thus the change doesn't make sense.

Let's focus on the docblock improvements :-)

#3 @kapasias
3 months ago

  • Focuses coding-standards removed

ok focus on docblock improvements

This ticket was mentioned in PR #8241 on WordPress/wordpress-develop by @ankitkumarshah.
3 months ago #4

Trac ticket: #62885

## Description
Implements the changes from this diff in accordance with this comment. Additionally, I have identified and corrected a few other instances in the file where periods were missing at the end of sentences.

## Changes:

  • Added missing periods to @return documentation blocks
  • Added missing periods to @param descriptions
  • Added missing periods to complete sentence inline comments
  • Added missing periods to section marker comments ("START: emoji arrays")

@ankitkumarshah commented on PR #8241:
3 months ago #5

Hi @peterwilsoncc,
I have made the necessary changes. Please review it at your convenience.
Thank You!

#6 @SergeyBiryukov
3 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 59765:

Docs: Update comments in wp-includes/formatting.php per the documentation standards.

Follow-up to [1345], [8662], [8786], [33624], [34761].

Props kapasias, ankitkumarshah, swissspidy, peterwilsoncc.
Fixes #62885.

#7 @SergeyBiryukov
3 months ago

  • Milestone changed from Awaiting Review to 6.8

@SergeyBiryukov commented on PR #8241:
3 months ago #8

Thanks for the PR! Merged in r59765.

Note: See TracTickets for help on using tickets.