-
Notifications
You must be signed in to change notification settings - Fork 882
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch toggles: consider to use proper escaping #8957
Comments
@afercia This is one of the things I'm looking into during the CS round. No guarantee that I'll fix it as all relevant strings would need to be examined (if not, a |
One of the problems with these is that they are used in our other plugins as well. So to properly apply escaping when generating the HTML, we need to make sure all plugins are only passing non-escaped strings. As this is not an easy task and requires backwards compatible solutions, we need to make sure all input to these methods is escaped when calling them. When we decide to properly fix this problem, we will need to introduce new methods that assume the entered strings are not escaped yet. These could even be presenters to allow links and styling to be applied within the string. Thus we need to verify on a case-by-case basis that they are passed with the proper escaping. |
See
Yoast_Form::light_switch()
andYoast_Form::toggle_switch()
that generate the "switch toggle" controls.Most of the output is escaped (HTML attributes, screen reader text) but the visible "labels" are not escaped.
Proper escaping is made more difficult now that the new design uses HTML (for bold text) in the visible "labels":
The text was updated successfully, but these errors were encountered: