Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Error: Expected next thing to be an escaping function..." #369

Closed
philiparthurmoore opened this issue Apr 30, 2015 · 2 comments
Closed

"Error: Expected next thing to be an escaping function..." #369

philiparthurmoore opened this issue Apr 30, 2015 · 2 comments
Labels
Focus: Security

Comments

@philiparthurmoore
Copy link

Consider the following code, which will output the published (and updated) time for a post:

        // post time
        if ( in_array( get_post_type(), array( 'post', 'attachment' ) ) ) {
            $time_string = '<time class="entry-date published updated" datetime="%1$s">%2$s</time>';
            if ( get_the_time( 'U' ) !== get_the_modified_time( 'U' ) ) {
                $time_string = '<time class="entry-date published" datetime="%1$s">%2$s</time><time class="updated" datetime="%3$s">%4$s</time>';
            }
            $time_string = sprintf(
                $time_string,
                esc_attr( get_the_date( 'c' ) ),          // %1$s
                esc_html( get_the_date() ),               // %2$s
                esc_attr( get_the_modified_date( 'c' ) ), // %3$s
                esc_html( get_the_modified_date() )       // %4$s
            );
            printf(
                '<span class="posted-on">%1$s<a href="%2$s" rel="bookmark">%3$s</a></span>',
                wp_kses_post( _x( '<span class="screen-reader-text">Posted on</span>', 'Used before publish date.', 'theme-slug' ) ),
                esc_url( get_permalink() ),
                $time_string
            );
        }

WordPress Coding Standards are reporting that $time_string should be escaped, but esc_html, esc_attr, wp_kses_post, or wp_kses (with allowed tags) aren't practical. Is there any way to get around this (I think) false error, without introducing too much convoluted code into the theme that I'm working on? Note that this also affects Twenty Fifteen and _s, which I'm working on getting up to date with all coding standards.
@philiparthurmoore philiparthurmoore mentioned this issue Apr 30, 2015
Closed
@JDGrimes
Copy link
Contributor

You can ignore a specific error with a whitelisting comment like this:

            printf( // WPCS: XSS OK
                '<span class="posted-on">%1$s<a href="%2$s" rel="bookmark">%3$s</a></span>',
                wp_kses_post( _x( '<span class="screen-reader-text">Posted on</span>', 'Used before publish date.', 'theme-slug' ) ),
                esc_url( get_permalink() ),
                $time_string
            );

@philiparthurmoore
Copy link
Author

Fantastic. This works a treat.

@philiparthurmoore philiparthurmoore mentioned this issue May 11, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Focus: Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@philiparthurmoore @jrfnl @JDGrimes