iandunn
commented
3 years ago I missed this earlier, but there's already #33472-core :)
It might be worth keeping this open for a bit, just to consider whether that's something we should try to help move forward as part of this project.
Similar to prepared statements (#44), a templating language like Twig et al could reduce a lot of complexity when it comes to escaping. In React, output is escaped by default, and you have to use
dangerouslySetInnerHTML()to intentionally output raw HTML. IMO, that's the correct approach from a security perspective.It's also very convenient that the templating language detects the context for you, so you just write
{{ $foo }}everywhere, and it knows when it should useesc_htmlvsesc_attrvsesc_url, etc. You can still override the default with things like{{ $foo|my_custom_escaping_function }}if needed.That would be a huge shift for the WP ecosystem, but could be worth considering.