Skip to content

[PCP] Phase 3: EscapeOutput.UnsafePrintingFunction + OutputNotEscaped#238

Open
faisalahammad wants to merge 1 commit into
WordPress:trunkfrom
faisalahammad:fix/pcp-phase-3-escape-output
Open

[PCP] Phase 3: EscapeOutput.UnsafePrintingFunction + OutputNotEscaped#238
faisalahammad wants to merge 1 commit into
WordPress:trunkfrom
faisalahammad:fix/pcp-phase-3-escape-output

Conversation

@faisalahammad

@faisalahammad faisalahammad commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Fix: WordPress.Security.EscapeOutput (lines 433–524, 698, 1011)

Changes

  • _e()esc_html_e(): 8 locations (lines 457, 461, 487, 503, 507, 520, 523, 524, 698)
  • _ex()echo esc_html_x(): 3 locations (lines 433, 437, 511, 515) — note: _ex() prints directly; esc_html_x() returns, so echo prefix required
  • echo $clearecho esc_html( $clear ): 1 location (line 1011)

All replacements use esc_html_* variants because the output contexts are HTML text nodes (labels, headings, descriptions, anchor text).

Rule codes

  • WordPress.Security.EscapeOutput.UnsafePrintingFunction (lines 433, 437, 457, 461, 487, 503, 507, 511, 515, 520, 523, 524, 698)
  • WordPress.Security.EscapeOutput.OutputNotEscaped (line 1011)

Verification

  • PHPCS with WordPress standard: zero violations for EscapeOutput

@faisalahammad
[PCP] Phase 3: EscapeOutput.UnsafePrintingFunction + OutputNotEscaped
2ad8690 
Escape all _e(), _ex(), and bare echo in classic-editor.php:
- _e() → esc_html_e() (11 locations)
- _ex() → echo esc_html_x() (3 locations)
- echo $clear → echo esc_html( $clear ) (1 location)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@faisalahammad