-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update escaping function #683
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using kses rather than an escaping function seems like the right solution to the linked issue.
However I think this needs a more nuanced change, based on how the escape_string
method is used
- ✅ escaping block content--kses is appropriate
- ❌ For escaping attributes, we should be using
esc_attr
(oresc_attr_e
)
What do you think of the following as a fix?
- Renaming
escape_string
toescape_attr
, replacingesc_html_e
withesc_attr_e
, then using it below on line 128 - Adding
kses_for_block_content
(or similar name) that wrapswp_kses_post
and using it below on line 112
Also, maybe these methods should be protected/private, since they aren't used outside the class.
@creativecoder I implemented your suggestions in the latest commits. |
@matiasbenedetto I took a closer look at this to better understand the generated output in theme patterns and attempted an improvement in 3e53a9a to use My understanding is that This opens the door to translated strings containing a wide variety of html, including things like Potentially we could use The best solution would be parsing HTML content and generating sprintf functions with placeholders for the relevant html in translated strings, but that seems very complex to get right. What do you think? |
@creativecoder thanks for the detailed review. I have a few comments:
I see that in
Yes, this seems to be too complex to worth it. I'm not sure what would be the best way to move this forward. |
Yes, I think so. That was my attempt to resolve the issue, but I don't think it's good enough.
Same for me. For now, I think this needs to be worked around by manually editing the string in the theme template. In the case of the video in the linked issue, splitting the string on the line breaks seems appropriate. And for other inline html, using placeholders, for example: <?php
/* translators: %1$s: start of bold text (<strong>), %2$s: end of bold text (</strong>
) */
sprintf(
__( 'Some text %1$sthat is bold.%2$s', 'my-theme-textdomain' ),
'<strong>',
'</strong>'
);
?> |
In the latest commit (75cc3d2) I removed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's make sure the PR description gets updated before this lands.
I updated the description. This PR should only fix the escaping of the HTML attributes. The text content of blocks will remain the same for now and it should be tackled in another PR. Could you give it another review, please? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What?
Use
esc_attr_e
to escape HTML attributes of blocks.Why?
How?
By adding a specific function for escaping HTML attributes of blocks.
How to test:
alt
property of Image blocks.Check that the attributes are correctly escaped.