vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2025-10-16 12:05:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Coding Standards: Escape the whole attribute in wp-admin/export.php.

Browse Source 
It is best to always escape the complete value of an attribute, not a partial value, as otherwise the escaping could be (partially) undone when the values are joined together.

While the hardcoded hyphen in this case don't necessarily create that risk, it may change to a value which could be problematic, so making it a habit to escape the value in one go is best practice.

Escaping the complete value also means that a single `esc_attr()` call can be used instead of two.

Follow-up to [14444], [16652], [55616], [56632].

See #58831.

git-svn-id: https://develop.svn.wordpress.org/trunk@56633 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Sergey Biryukov 2023-09-20 09:45:51 +00:00
parent 8fea8aa389
commit 58bb4b79ca
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/wp-admin/export.php
View File

@ -160,7 +160,12 @@ function export_date_options( $post_type = 'post' ) {
}
$month = zeroise( $date->month, 2 );
echo '<option value="' . esc_attr( $date->year ) . '-' . esc_attr( $month ) . '">' . $wp_locale->get_month( $month ) . ' ' . $date->year . '</option>';
printf(
'<option value="%1$s">%2$s</option>',
esc_attr( $date->year . '-' . $month ),
$wp_locale->get_month( $month ) . ' ' . $date->year
);
}
}
?>