values within loop should be escaped properly before echo `wp-admin/theme-install.php`

[sabbirshouvo]

In wp-admin/theme-install.php line 232 $feature_name is not escaped properly before echo the value. It should be escaped. In a similar scenario in file wp-admin/includes/theme-install.php same variable is escaped with esc_html( )

[sabbirshouvo]

escape $feature_name using esc_html()

[afragen]

Since it’s a variable, shouldn’t that be esc_attr()?

[sabbirshouvo]

Replying to afragen:

Since it’s a variable, shouldn’t that be esc_attr()?

I've used wp-admin/includes/theme-install.php line 149 as a reference.

[sabernhardt]

Using esc_html() would be appropriate for the label text; the category name's variable is escaped the same way for the legend tag on line 226.

Side note: I got confused by both variables named $feature_name because the first foreach loop refers to the feature category name. Could we change that variable to $category_name (or something similar)?

[sabbirshouvo]

@sabernhardt I agree with you. Check the image. I think it's more readable this way.

[sabbirshouvo]

improved code readability & fix variable escaping.

[mukesh27]

Can we use escaped value directly instead of set variable for the escape value then use for print?

$feature_category = esc_html( $feature_category );
echo '<legend>' . $feature_category . '</legend>';

Should be

echo '<legend>' . esc_html( $feature_category ) . '</legend>';

[sabbirshouvo]

Actually, my original patch is for the next two variables. The variable $feature_name was not properly escaped. And your suggestion looks good too. Should I make changes to my patch? @mukesh27

[mukesh27]

Let's wait for other dev feedback on this.

[SergeyBiryukov]

In 51923:

Coding Standards: Improve escaping in wp-admin/theme-install.php.

• Rename a duplicate $feature_name variable to $feature_group for clarity.
• Escape the remaining $feature_name variable.

Follow-up to [27636], [35273].

Props sabbirshouvo, sabernhardt, mukesh27, afragen.
Fixes #54277.