WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#9650 closed defect (bug) (fixed)

attribute_escape() shortcuts

Reported by: ryan Owned by:
Milestone: 2.8 Priority: normal
Severity: normal Version:
Component: Formatting Keywords: security i18n
Focuses: Cc:

Description (last modified by ryan)

attribute_escape() is often forgotten on value attributes, especially on translated messages. Maybe some shortcuts would improve adoption. Use esc() as shorthand for atribute_escape() and add _e_esc() and _t_esc() which run translations through attribute_escape(), thus avoiding the need to do this: echo attribute_escape( __('Translated string') )

Attachments (2)

9650.diff (4.5 KB) - added by ryan 5 years ago.
9650 .patch (3.6 KB) - added by hakre 5 years ago.
Akismet

Download all attachments as: .zip

Change History (23)

comment:1 ryan5 years ago

  • Component changed from General to Formatting
  • Keywords security i18n added
  • Owner anonymous deleted

comment:2 ryan5 years ago

  • Description modified (diff)

comment:3 ryan5 years ago

_a(), _ea(), _xa() are other suggestions.

ryan5 years ago

comment:4 ryan5 years ago

(In [11103]) attr(), _a(), _ea(), _xa() for shorthand attribute escaping. see #9650

comment:5 Denis-de-Bernardy5 years ago

thank you. you've just made coding shorter to write. :-)

comment:6 ryan5 years ago

(In [11104]) Some attr escaping. see #9650

comment:7 ryan5 years ago

(In [11109]) s/attribute_escape/attr/. see #9650

comment:8 ryan5 years ago

(In [11110]) attr escaping. see #9650

comment:9 Simek5 years ago

akismet.php file form Akismet Plugin also need to be updated.

comment:10 Denis-de-Bernardy5 years ago

  • Milestone changed from Unassigned to 2.8

hakre5 years ago

Akismet

comment:11 markjaquith5 years ago

I find this to be harder to remember. My inclination would be to standardize the function names but keep them memorable and more obvious.

Here is my suggestion:

  • __ = translate return suffix
  • _e = translate echo suffix

Stick all escaping functions into an "esc" class.

methods:

  • attr()
  • url()
  • js()
  • html()
  • sql()

html(), js(), attr() would have __ and _e suffix versions too.

So it would look like:

esc::[context][optional translation suffix]( $input, [optional translation domain]);

Example:

<a href="<?php echo esc::url( $my_url ); ?>"><?php esc::html_e( 'My translatable string' ); ?></a>

It's still shorter, but it's obvious that escaping is going on, and which context is being used. People already know __() and _e() so we keep those as suffixes. This also puts all our escaping in one place, so that curious people can look there to see which contexts they should be escaping but might not be.

comment:12 ryan5 years ago

Let's do it.

comment:13 ryan5 years ago

xgettext might not like that format though.

comment:14 ryan5 years ago

I can't get xgettext to recognize anything with a ::

comment:15 Denis-de-Bernardy5 years ago

mm... in that case we'd want to use straight functions instead: esc_html_e(), etc.

comment:16 link2caro5 years ago

  • Cc tran.minhquan@… added

keep _e and at the beginning for better auto-completion if straight functions are used

comment:17 link2caro5 years ago

sorry,

!_e()
__()

comment:18 markjaquith5 years ago

(In [11204]) _a(), _ea(), _xa(), attr() are now esc_attr(), esc_attr_e(), esc_attr_x(), esc_attr() -- still short, but less cryptic. see #9650

comment:19 markjaquith5 years ago

link2caro, considered that, but _eattr_esc() isn't very clear. The leading underscore makes it ideal as a suffix. Also:

attribute_escape(__('string'));

Becomes:

esc_attr__('string');

Maps well.

comment:20 Viper007Bond5 years ago

Let's not forget about js_escape(). Worth renaming to esc_js() or similar?

See also: #7648

comment:21 ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.