Properly escape url and attributes in wp-admin/themes.php

[sabbirshouvo]

There are multiple unescaped url and attributes in wp-admin/themes.php
It's against WordPress coding standard.

[sabbirshouvo]

Patch added

[audrasjb]

I think most of these variables don't need to be escaped, since they are generated by WordPress itself and can't be edited in any way.

(removing trunk version)

[audrasjb]

In my opinion, the only one where we may perhaps consider an escaping function is $theme['screenshot'][0].

[sabbirshouvo]

Replying to audrasjb:

I think most of these variables don't need to be escaped, since they are generated by WordPress itself and can't be edited in any way.

(removing trunk version)

Thanks for you feedback. I want to mention about few cases where same attributes are escaped and some are not in the same file.

/wp-admin/themes.php
Please check line: 535,548,555,567,870,894,907,913

if these needs attribute escaping then why not line 1120,1129,1140 ?

[audrasjb]

Hmm in any case you're right we need at least more consistency here :)

[sabbirshouvo]

update: Added another missing attribute check in wp-admin/themes.php file

[audrasjb]

Small WordPress Coding Standards issue: we need spaces in each function’s parenthesis.
Example: replace esc_attr($aria_name) with esc_attr( $aria_name )

[sabbirshouvo]

fixed spacing issue while escaping values.

[SergeyBiryukov]

In 52020:

Coding Standards: Consistently escape attribute in wp-admin/themes.php.

Follow-up to [27012], [38057], [47816], [51083].

Props sabbirshouvo, audrasjb.
Fixes #54256.