Skip to content

Commit

Permalink
Coding Standards: Improve escaping in wp_login_form().
Browse files Browse the repository at this point in the history 
* Split long concatenated lines using `sprintf()`. This aims to improve readability and avoid multiple `esc_attr()` calls for the same value.
* Escape the form `name` and `id` attributes.

Follow-up to [12696], [18444], [19033].

Props sabbirshouvo, mukesh27, audrasjb, henry.wright, SergeyBiryukov.
Fixes #54279.

git-svn-id: https://develop.svn.wordpress.org/trunk@51926 602fd350-edb4-49c9-b593-d223f7449a82
  • Loading branch information
@SergeyBiryukov
SergeyBiryukov committed Oct 21, 2021
1 parent d428a5b commit 1cf97a3
Showing 1 changed file with 44 additions and 19 deletions.
63 changes: 44 additions & 19 deletions src/wp-includes/general-template.php
View file
Expand Up @@ -576,25 +576,50 @@ function wp_login_form( $args = array() ) {
*/
$login_form_bottom = apply_filters( 'login_form_bottom', '', $args );

$form = '
<form name="' . $args['form_id'] . '" id="' . $args['form_id'] . '" action="' . esc_url( site_url( 'wp-login.php', 'login_post' ) ) . '" method="post">
' . $login_form_top . '
<p class="login-username">
<label for="' . esc_attr( $args['id_username'] ) . '">' . esc_html( $args['label_username'] ) . '</label>
<input type="text" name="log" id="' . esc_attr( $args['id_username'] ) . '" class="input" value="' . esc_attr( $args['value_username'] ) . '" size="20" />
</p>
<p class="login-password">
<label for="' . esc_attr( $args['id_password'] ) . '">' . esc_html( $args['label_password'] ) . '</label>
<input type="password" name="pwd" id="' . esc_attr( $args['id_password'] ) . '" class="input" value="" size="20" />
</p>
' . $login_form_middle . '
' . ( $args['remember'] ? '<p class="login-remember"><label><input name="rememberme" type="checkbox" id="' . esc_attr( $args['id_remember'] ) . '" value="forever"' . ( $args['value_remember'] ? ' checked="checked"' : '' ) . ' /> ' . esc_html( $args['label_remember'] ) . '</label></p>' : '' ) . '
<p class="login-submit">
<input type="submit" name="wp-submit" id="' . esc_attr( $args['id_submit'] ) . '" class="button button-primary" value="' . esc_attr( $args['label_log_in'] ) . '" />
<input type="hidden" name="redirect_to" value="' . esc_url( $args['redirect'] ) . '" />
</p>
' . $login_form_bottom . '
</form>';
$form =
sprintf(
'<form name="%1$s" id="%1$s" action="%2$s" method="post">',
esc_attr( $args['form_id'] ),
esc_url( site_url( 'wp-login.php', 'login_post' ) )
) .
$login_form_top .
sprintf(
'<p class="login-username">
<label for="%1$s">%2$s</label>
<input type="text" name="log" id="%1$s" class="input" value="%3$s" size="20" />
</p>',
esc_attr( $args['id_username'] ),
esc_html( $args['label_username'] ),
esc_attr( $args['value_username'] )
) .
sprintf(
'<p class="login-password">
<label for="%1$s">%2$s</label>
<input type="password" name="pwd" id="%1$s" class="input" value="" size="20" />
</p>',
esc_attr( $args['id_password'] ),
esc_html( $args['label_password'] )
) .
$login_form_middle .
( $args['remember'] ?
sprintf(
'<p class="login-remember"><label><input name="rememberme" type="checkbox" id="%1$s" value="forever"%2$s /> %3$s</label></p>',
esc_attr( $args['id_remember'] ),
( $args['value_remember'] ? ' checked="checked"' : '' ),
esc_html( $args['label_remember'] )
) : ''
) .
sprintf(
'<p class="login-submit">
<input type="submit" name="wp-submit" id="%1$s" class="button button-primary" value="%2$s" />
<input type="hidden" name="redirect_to" value="%3$s" />
</p>',
esc_attr( $args['id_submit'] ),
esc_attr( $args['label_log_in'] ),
esc_url( $args['redirect'] )
) .
$login_form_bottom .
'</form>';

if ( $args['echo'] ) {
echo $form;
Expand Down

0 comments on commit 1cf97a3

Please sign in to comment.