WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard
verified publisher icon WordPress

Add missing auto-escaped function

Open zzap opened this issue 6 years ago • 4 comments

New(ish) privacy features added new auto-escaped function the_privacy_policy_link - docs.

zzap avatar Apr 14 '20 21:04 zzap

Yes, I was playing with get_the_privacy_policy_link() in my local and it is a potential hole. I'd escape it with wp_kses_post. At least to avoid Javascript injection until the proper escaping happens inside the function.

Thank you for the welcome :)

zzap avatar Apr 15 '20 14:04 zzap

So there's a way for unsafe content to be output, but we want to make it as auto-escaped and therefore not flag it? What am I missing here?

GaryJones avatar May 10 '20 12:05 GaryJones

@GaryJones Yes, there is a way, but that's no different with nearly every other function in the list. So either we should accept this PR or we should remove all the other functions with similar weaknesses from the list.

jrfnl avatar May 10 '20 12:05 jrfnl

By itself, I'd say No for this change, but, I also don't like inconsistencies. I'd reluctantly approve this, if needed.

Perhaps as a separate task we could look at what functions really do provide solid escaping at the last moment, and which make an effort before allowing a filter at the last moment instead.

GaryJones avatar Aug 03 '20 21:08 GaryJones

Based on the above discussion, I'm closing this PR. I've opened a separate issue to review the existing list of "safe functions". See #2119.

jrfnl avatar Dec 02 '22 13:12 jrfnl