include `url(' . esc_url_raw()` to proper escaping function sniff

[david-binda]

We probably should enforce esc_url for any urls.

[westonruter]

I recall that HTML entities don't work well in CSS. So using esc_url_raw() should be used instead of esc_url(), since the latter assumes an HTML context.

[david-binda]

Good point @westonruter , thanks ! I'll poke around more before acting on this.

[GaryJones]

@david-binda I there is already a sniff that checks for incorrect escaping, so I'm not sure that I'm following the issues you're referencing here. Can you please give some good code / bad code to make it more explicit what we'd need to check for?

[david-binda]

Hey @GaryJones ! Again, sorry for not being clear. I meant that we should be catching stuff like this:

<?php
echo '<style>
    .class {
        background-image: url("' . esc_html( $variable ) . '");
    }
    </style>';

where, the esc_html should better be replaced by esc_url or, like Weston pointed out, by esc_url_raw. The sniff you are referring to, ProperEscapingFunctionSniff , is not currently inspecting nor reporting such cases.

That said, a good example:

<?php
echo '<style>
    .class {
        background-image: url("' . esc_url_raw( $variable ) . '");
    }
    .another-class {
        background-image: url("' . esc_url( $variable ) . '");
    }
    </style>';

and a bad one:

<?php
echo '<style>
    .class {
        background-image: url("' . esc_html( $variable ) . '");
    }
    </style>';

Does that help?

[GaryJones]

I think the trouble here will be that this is all potentially just characters inside a string before the actual variable, or a heredoc/nowdoc. There are likely several different ways to composer the string, concatenate / interpolate a variable and then choose when to echo it.