Script Loader: Consistently escape the style handle in WP_Styles::do_item().

SergeyBiryukov · SergeyBiryukov · commit 781fb28d4773 · 2025-10-28T21:35:53.000Z
Includes moving most of the escaping as late as possible when the `<link>` tag is being constructed. Follow-up to [29956], [36550], [43564], [46164]. Props georgestephanis, westonruter, azaozz, jonsurrell, XecurAbhijeet, SergeyBiryukov. See #30036. git-svn-id: https://develop.svn.wordpress.org/trunk@61084 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/class-wp-styles.php b/src/wp-includes/class-wp-styles.php
@@ -194,7 +194,7 @@ public function do_item( $handle, $group = false ) {
 		}
 
 		if ( isset( $obj->args ) ) {
-			$media = esc_attr( $obj->args );
+			$media = $obj->args;
 		} else {
 			$media = 'all';
 		}
@@ -218,16 +218,16 @@ public function do_item( $handle, $group = false ) {
 		}
 
 		$rel   = isset( $obj->extra['alt'] ) && $obj->extra['alt'] ? 'alternate stylesheet' : 'stylesheet';
-		$title = isset( $obj->extra['title'] ) ? sprintf( " title='%s'", esc_attr( $obj->extra['title'] ) ) : '';
+		$title = isset( $obj->extra['title'] ) ? $obj->extra['title'] : '';
 
 		$tag = sprintf(
 			"<link rel='%s' id='%s-css'%s href='%s'%s media='%s' />\n",
 			$rel,
-			$handle,
-			$title,
+			esc_attr( $handle ),
+			$title ? sprintf( " title='%s'", esc_attr( $title ) ) : '',
 			$href,
 			$this->type_attr,
-			$media
+			esc_attr( $media )
 		);
 
 		/**
@@ -255,11 +255,11 @@ public function do_item( $handle, $group = false ) {
 			$rtl_tag = sprintf(
 				"<link rel='%s' id='%s-rtl-css'%s href='%s'%s media='%s' />\n",
 				$rel,
-				$handle,
-				$title,
+				esc_attr( $handle ),
+				$title ? sprintf( " title='%s'", esc_attr( $title ) ) : '',
 				$rtl_href,
 				$this->type_attr,
-				$media
+				esc_attr( $media )
 			);
 
 			/** This filter is documented in wp-includes/class-wp-styles.php */
diff --git a/tests/phpunit/tests/dependencies/styles.php b/tests/phpunit/tests/dependencies/styles.php
@@ -91,6 +91,36 @@ public function test_wp_enqueue_style_with_html5_support_does_not_contain_type_a
 		$this->assertSame( $expected, get_echo( 'wp_print_styles' ) );
 	}
 
+	/**
+	 * Test assorted handles to make sure they are output correctly.
+	 *
+	 * @dataProvider data_awkward_handles_are_supported_consistently
+	 *
+	 * @ticket 30036
+	 */
+	public function test_awkward_handles_are_supported_consistently( $handle ) {
+		wp_enqueue_style( $handle, 'example.com', array(), null );
+
+		$expected = "<link rel='stylesheet' id='$handle-css' href='http://example.com' type='text/css' media='all' />\n";
+
+		$this->assertSame( $expected, get_echo( 'wp_print_styles' ) );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array<string, string[]>
+	 */
+	public function data_awkward_handles_are_supported_consistently() {
+		return array(
+			'some spaces'       => array( 'with some spaces' ),
+			'snowman'           => array( 'with-☃-snowman' ),
+			'trailing space'    => array( 'with-trailing-space ' ),
+			'leading space'     => array( ' with-leading-space' ),
+			'an "ironic" title' => array( 'an &quot;ironic&quot; title' ),
+		);
+	}
+
 	/**
 	 * Test the different protocol references in wp_enqueue_style
 	 *
