Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hard coded string sanitation removed #361 #362

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

AbmSourav
Copy link

@AbmSourav AbmSourav commented Jan 4, 2022

Copy link
Contributor

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pull request! Please see my initial feedback inline.

@@ -44,7 +44,7 @@
* Admin notice for incompatible versions of PHP.
*/
function _foo_bar_php_version_error() {
printf( '<div class="error"><p>%s</p></div>', esc_html( _foo_bar_php_version_text() ) );
printf( '<div class="error"><p>%s</p></div>', _foo_bar_php_version_text() );
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we keep the esc_html() sanitiser during the output here? Currently it is being removed from all paces.

The best practice would be to sanitize late when we know the type of output we're serving. Technically, the return value of _foo_bar_php_version_text() could be used for things like REST API errors, JS callback errors which would each require a different santiser.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants