Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Late escape latest comments block #37865

Merged
merged 9 commits into from
Jan 14, 2022
Merged

Late escape latest comments block #37865

merged 9 commits into from
Jan 14, 2022

Conversation

getdave
Copy link
Contributor

@getdave getdave commented Jan 11, 2022

Description

This is not a security problem. This PR simply moves escaping of all PHP output to be as "late" as possible. This means we avoid escaping variables until they are output in the HTML markup.

This is a WP Core best practice.

How has this been tested?

  • Add Latest Comments block.
  • Check functionality is "as was".
  • Check all tests pass.

Screenshots

Types of changes

Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code is tested.
  • My code follows the WordPress code style.
  • My code follows the accessibility standards.
  • I've tested my changes with keyboard and screen readers.
  • My code has proper inline documentation.
  • I've included developer documentation if appropriate.
  • I've updated all React Native files affected by any refactorings/renamings in this PR (please manually search all *.native.js files for terms that need renaming or removal).
  • I've updated related schemas if appropriate.

@getdave getdave added [Type] Code Quality Issues or PRs that relate to code quality [Block] Latest Comments Affects the Latest Comments Block [Type] Security Related to security concerns or efforts labels Jan 11, 2022
@getdave getdave self-assigned this Jan 11, 2022
@getdave getdave requested a review from ajitbohra as a code owner January 11, 2022 11:26
@getdave getdave changed the title Escape late latest comments block Late escape latest comments block Jan 11, 2022
@getdave
Copy link
Contributor Author

getdave commented Jan 13, 2022

In line with other similar PRs, I'm going to audit this again and revert some unnecessary escaping.

@getdave
Revert escaping of translations
3ec6f65
@getdave
Move Post title escaping at point of output
d689528 
Previously we were esaping within the function generating the title. Now we escape the result of calling the function.
@getdave
Revert escaping of hardcoded inlined string
07e12d8 
The key here is that they are inlined and not variables
@getdave
Revert escape of comment excerpt
20d6c37 
This is not escaped when used in Core so is ok
@getdave
Revert escaping get_block_wrapper_attributes
63dc1c5
@getdave
Copy link
Contributor Author

getdave commented Jan 13, 2022

Ok this is RfR again.

@getdave getdave merged commit bbaaae8 into trunk Jan 14, 2022
@getdave getdave deleted the update/escape-late-latest-comments-block branch January 14, 2022 11:14
@github-actions github-actions bot added this to the Gutenberg 12.5 milestone Jan 14, 2022
@getdave getdave mentioned this pull request Feb 7, 2022
Closed
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aristath aristath aristath approved these changes

@ehti ehti Awaiting requested review from ehti

@hellofromtonya hellofromtonya Awaiting requested review from hellofromtonya

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra is a code owner

Assignees

@getdave getdave

Labels
[Block] Latest Comments Affects the Latest Comments Block [Type] Code Quality Issues or PRs that relate to code quality [Type] Security Related to security concerns or efforts
Projects
None yet
Milestone
Gutenberg 12.5
Development

Successfully merging this pull request may close these issues.
2 participants
@getdave @aristath