Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA: Assert usage of esc_* functions in templates #127

Open
ScreamingDev opened this issue Aug 2, 2017 · 0 comments
Open

QA: Assert usage of esc_* functions in templates #127

ScreamingDev opened this issue Aug 2, 2017 · 0 comments
Labels
help wanted idea medium priority

Comments

@ScreamingDev
Copy link
Contributor

ScreamingDev commented Aug 2, 2017
edited

Templates often just print out what's inside a variable.
This is the point where injection of bad code can be done.
WordPress has build esc_* for that which we should use in templates.

  • How to assert this? So that further commits don't bring in this problem anymore.
    • It is allowed inside algorithms except templates ("HTML").
    • Maybe we need a template system or a specific folder where all templates live in.
  • Find all __()/_*() and replace by esc_html or esc_attr.
  • Find all echo/print and replace by esc_html or esc_attr.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted idea medium priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ScreamingDev