I have the following code which is flagging a warning that I've been asked to fix by my theme reviewer.
WARNING All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$fontListStr'.
The $fontListStr in the warning message refers to the final line of the following code:
foreach( $this->fontList as $key => $value ) {
$fontCounter++;
$fontListStr .= '<option value="' . esc_attr($value->family) . '" ' . selected( $this->fontValues->font, $value->family, false ) . '>' . esc_html($value->family) . '</option>';
if ( $this->fontValues->font === $value->family ) {
$isFontInList = true;
}
if ( is_int( $this->fontCount ) && $fontCounter === $this->fontCount ) {
break;
}
}
if ( !$isFontInList && $this->fontListIndex ) {
// If the default or saved font value isn't in the list of displayed fonts, add it to the top of the list as the default font
$fontListStr = '<option value="' . esc_attr($this->fontList[$this->fontListIndex]->family) . '" ' . selected( $this->fontValues->font, $this->fontList[$this->fontListIndex]->family, false ) . '>' . esc_html($this->fontList[$this->fontListIndex]->family) . ' (default)</option>' . $fontListStr;
}
// Display our list of font options
echo $fontListStr;
I can't for the life of me work out how to escape the final line of code without breaking the output. I actually don't understand why I need to either as I escape all potential vulnerabilities in the lines before.
Could you please help me escape this properly. Thanks
I have the following code which is flagging a warning that I've been asked to fix by my theme reviewer.
WARNING All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$fontListStr'.
The $fontListStr in the warning message refers to the final line of the following code:
foreach( $this->fontList as $key => $value ) {
$fontCounter++;
$fontListStr .= '<option value="' . esc_attr($value->family) . '" ' . selected( $this->fontValues->font, $value->family, false ) . '>' . esc_html($value->family) . '</option>';
if ( $this->fontValues->font === $value->family ) {
$isFontInList = true;
}
if ( is_int( $this->fontCount ) && $fontCounter === $this->fontCount ) {
break;
}
}
if ( !$isFontInList && $this->fontListIndex ) {
// If the default or saved font value isn't in the list of displayed fonts, add it to the top of the list as the default font
$fontListStr = '<option value="' . esc_attr($this->fontList[$this->fontListIndex]->family) . '" ' . selected( $this->fontValues->font, $this->fontList[$this->fontListIndex]->family, false ) . '>' . esc_html($this->fontList[$this->fontListIndex]->family) . ' (default)</option>' . $fontListStr;
}
// Display our list of font options
echo $fontListStr;
I can't for the life of me work out how to escape the final line of code without breaking the output. I actually don't understand why I need to either as I escape all potential vulnerabilities in the lines before.
Could you please help me escape this properly. Thanks
Share Improve this question asked Dec 18, 2019 at 21:11 Steven GardnerSteven Gardner 211 bronze badge1 Answer
Reset to default 2This seems to have done the trick:
// Display our list of font options
$allowed_html = array(
'option' => array(
'value' => array(),
'selected' => array()
),
);
echo wp_kses($fontListStr, $allowed_html);