Changeset 61084

Timestamp:

10/28/2025 09:35:53 PM (4 weeks ago)

Author:

SergeyBiryukov

Message:

Script Loader: Consistently escape the style handle in WP_Styles::do_item().

Includes moving most of the escaping as late as possible when the <link> tag is being constructed.

Follow-up to [29956], [36550], [43564], [46164].

Props georgestephanis, westonruter, azaozz, jonsurrell, XecurAbhijeet, SergeyBiryukov.
See #30036.

Location:

trunk

Files:

• src/wp-includes/class-wp-styles.php (modified) (3 diffs)
• tests/phpunit/tests/dependencies/styles.php (modified) (1 diff)

trunk/src/wp-includes/class-wp-styles.php

@@ -195 +195 @@
 
         if ( isset( $obj->args ) ) {
-            $media = esc_attr( $obj->args );
+            $media = $obj->args;
         } else {
             $media = 'all';
@@ -219 +219 @@
 
         $rel   = isset( $obj->extra['alt'] ) && $obj->extra['alt'] ? 'alternate stylesheet' : 'stylesheet';
-        $title = isset( $obj->extra['title'] ) ? sprintf( " title='%s'", esc_attr( $obj->extra['title'] ) ) : '';
+        $title = isset( $obj->extra['title'] ) ? $obj->extra['title'] : '';
 
         $tag = sprintf(
             "<link rel='%s' id='%s-css'%s href='%s'%s media='%s' />\n",
             $rel,
-            $handle,
-            $title,
+            esc_attr( $handle ),
+            $title ? sprintf( " title='%s'", esc_attr( $title ) ) : '',
             $href,
             $this->type_attr,
-            $media
+            esc_attr( $media )
         );
 
@@ -256 +256 @@
                 "<link rel='%s' id='%s-rtl-css'%s href='%s'%s media='%s' />\n",
                 $rel,
-                $handle,
-                $title,
+                esc_attr( $handle ),
+                $title ? sprintf( " title='%s'", esc_attr( $title ) ) : '',
                 $rtl_href,
                 $this->type_attr,
-                $media
+                esc_attr( $media )
             );
 

trunk/tests/phpunit/tests/dependencies/styles.php

@@ -93 +93 @@
 
     /**
+     * Test assorted handles to make sure they are output correctly.
+     *
+     * @dataProvider data_awkward_handles_are_supported_consistently
+     *
+     * @ticket 30036
+     */
+    public function test_awkward_handles_are_supported_consistently( $handle ) {
+        wp_enqueue_style( $handle, 'example.com', array(), null );
+
+        $expected = "<link rel='stylesheet' id='$handle-css' href='http://example.com' type='text/css' media='all' />\n";
+
+        $this->assertSame( $expected, get_echo( 'wp_print_styles' ) );
+    }
+
+    /**
+     * Data provider.
+     *
+     * @return array<string, string[]>
+     */
+    public function data_awkward_handles_are_supported_consistently() {
+        return array(
+            'some spaces'       => array( 'with some spaces' ),
+            'snowman'           => array( 'with-☃-snowman' ),
+            'trailing space'    => array( 'with-trailing-space ' ),
+            'leading space'     => array( ' with-leading-space' ),
+            'an "ironic" title' => array( 'an &quot;ironic&quot; title' ),
+        );
+    }
+
+    /**
      * Test the different protocol references in wp_enqueue_style
      *