Automattic / VIP-Coding-Standards

PHP_CodeSniffer ruleset to enforce WordPress VIP coding standards.
https://wpvip.com/documentation/how-to-install-php-code-sniffer-for-wordpress-com-vip/
Other
236 stars 40 forks source link

Question: how to correctly escape query parameters when used in inline js? #679

Closed kkmuffme closed 3 years ago

kkmuffme commented 3 years ago

I have this code (used for a Google JS SDK/API) used in an inline script tag, since the recaptcha API key is stored in WP db, but I dont know how to correctly escape it with the new rules (since I'm getting WordPressVIPMinimum.Security.ProperEscapingFunction.hrefSrcEscUrl but esc_url cannot be used for this, since it will put a https://)

xhr.send( '/some/url?some-arg=' + jsVariableFromGoogleAPI + '&api-key=<?php echo esc_attr( rawurlencode( $api_key ) ); ?>' );
jrfnl commented 3 years ago

I cannot seem to reproduce the issue. Tested this code snippet with VIPCS 2.3.0, 2.3.1, but neither seem to give any error for this line.

kkmuffme commented 3 years ago

Hm, strange suddenly I dont get that error anymore either.