Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post Title block should use esc_url() #53981

Merged
merged 1 commit into from
Oct 2, 2023
Merged

Post Title block should use esc_url() #53981

merged 1 commit into from
Oct 2, 2023

Conversation

tellyworth
Copy link
Contributor

@tellyworth tellyworth commented Aug 28, 2023
edited
Loading

What?

This PR adds URL escaping to the html output rendered by the Post Title block. It is not an issue of security, only of code quality.

Why?

Good WP coding standards require the use of esc_url() when outputting a URL. This applies even to URLs generated by core functions such as get_the_permalink(); see for reference the Twenty Twenty One theme, which does exactly that:

https://github.com/WordPress/twentytwentyone/blob/ba9f20cad89163761185c0467b346ba42541ae22/template-parts/content/content.php#L19

The Post Title block currently fails to escape the URL.

For the record, the Post Title block also fails to escape the title itself; however this is correct behaviour as per the docs: https://developer.wordpress.org/reference/functions/the_title/#more-information. Personally I think that position ought to be reconsidered, but that's a whole other issue, so I have intentionally left it as-is for this PR.

Related: #53838.

How?

The only change in this PR is adding the esc_url() call.

Testing Instructions

  1. Open any page with a Post Title block.
  2. Verify that the href in the link tag for the #wp-block-post-title is correct.

Screenshots or screencast

@tellyworth tellyworth added the [Type] Code Quality Issues or PRs that relate to code quality label Aug 28, 2023
@tellyworth tellyworth requested a review from ajitbohra as a code owner August 28, 2023 07:11
aristath
aristath approved these changes Aug 28, 2023
View reviewed changes
Copy link
Member

@aristath aristath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

Thank you for working on this @tellyworth. The PR is very simple and does what it says.
LGTM 👍

alexstine
alexstine approved these changes Aug 28, 2023
View reviewed changes
Copy link
Contributor

@alexstine alexstine left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@alexstine
Copy link
Contributor

@tellyworth Can you sync latest changes into your trunk? Looks about 60 commits behind. Then you should be able to refresh the PR.

@aristath aristath merged commit d2e6ed6 into WordPress:trunk Oct 2, 2023
@github-actions github-actions bot added this to the Gutenberg 16.8 milestone Oct 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aristath aristath aristath approved these changes

@alexstine alexstine alexstine approved these changes

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra is a code owner

Assignees
No one assigned
Labels
[Type] Code Quality Issues or PRs that relate to code quality
Projects
None yet
Milestone
Gutenberg 16.8
Development

Successfully merging this pull request may close these issues.
3 participants
@tellyworth @alexstine @aristath