Similar to prepared statements (#44), a templating language like Twig et al could reduce a lot of complexity when it comes to escaping. In React, output is escaped by default, and you have to use dangerouslySetInnerHTML() to intentionally output raw HTML. IMO, that's the correct approach from a security perspective.
It's also very convenient that the templating language detects the context for you, so you just write {{ $foo }} everywhere, and it knows when it should use esc_html vs esc_attr vs esc_url, etc. You can still override the default with things like {{ $foo|my_custom_escaping_function }} if needed.
That would be a huge shift for the WP ecosystem, but could be worth considering.
Similar to prepared statements (#44), a templating language like Twig et al could reduce a lot of complexity when it comes to escaping. In React, output is escaped by default, and you have to use
dangerouslySetInnerHTML()
to intentionally output raw HTML. IMO, that's the correct approach from a security perspective.It's also very convenient that the templating language detects the context for you, so you just write
{{ $foo }}
everywhere, and it knows when it should useesc_html
vsesc_attr
vsesc_url
, etc. You can still override the default with things like{{ $foo|my_custom_escaping_function }}
if needed.That would be a huge shift for the WP ecosystem, but could be worth considering.