-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
flag esc_* inside <script> tag #113
Comments
We could check via sniff whether there is an open HTML attribute prior |
Please provide some more context here, such as example code that should be reported, and example code that shouldn't. |
Some more context also containing code examples can be found here: https://vip.wordpress.com/documentation/vip-go/vip-code-review/javascript-security-best-practices/#escaping-dynamic-javascript-values Some other examples can be found in comments in the WordPress documentation for the
and should not really be used inside script tag, where
|
Is this something that would benefit everyone? i.e. not VIP-specific? Seems like https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/blob/master/WordPress/Sniffs/Security/EscapeOutputSniff.php would be a good location for this to be addressed in? |
While |
@GaryJones Agreed, since context is important in this aspect. However, I think flagging |
It's almost always meant to be
wp_json_encode
The text was updated successfully, but these errors were encountered: