fix: escape calendar item action link hrefs with esc_url() and link text with esc_html__()#1016
Open
thisismyurl wants to merge 7 commits into
Open
Conversation
…p; (esc_html encoding)
Contributor
|
Reviewed — fix is correct, CI green. The escaping is right and the mutation-style tests (assert One scope question: the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
`EF_Calendar::get_inner_information()` builds five action links for each calendar item — Edit, Trash, Preview, View, and Save. Three of those hrefs came from functions that return plain URLs (`get_edit_post_link()`, `get_delete_post_link()`, `get_permalink()`), and all five link text strings used `__()` directly. Neither set went through an escape function.
PR #993 made the same fix for `story-budget.php`; the calendar module's `item_actions` block was the parallel section that was missed.
This PR wraps the three hrefs in `esc_url()` and changes all five link-text calls to `esc_html__()`. The Preview branch already had `esc_url()` on its href — only the link text needed updating there.
The new test class `CalendarEscapingTest` injects a URL with a bare `&` via a WordPress filter (`get_edit_post_link`, `post_link`) and asserts the output contains `&` (what `esc_url()` produces for `&`) rather than the raw `&`. A separate assertion confirms no raw `&` survives in any href attribute. `test_calendar_view_link_href_is_url_escaped` uses a published post so `get_permalink()` is the active code path (not the preview branch). The trash link is omitted from integration coverage because `get_delete_post_link()` routes through `wp_nonce_url()` which pre-encodes `&` as `&` — an integration test for that path cannot distinguish "esc_url() ran" from "wp_nonce_url() pre-encoded the value."
Tests reviewed by inspection; not executed locally (no integration harness in my environment) — relying on CI for the first run.
No visual or interaction change; escaping only, link text and structure unchanged, no a11y impact.
(props @thisismyurl)
(full disclosure: AI helped me identify the issue and verify my work)