Security: Remove use of innerHTML in the the_block_template_skip_link() function.

johnbillion · johnbillion · commit a1440ae4e16b · 2025-02-17T16:23:52.000Z
There is no need to support HTML in this string and switching to `innerText` helps facilitate a more restrictive Content Security Policy. Props micromadness, sabernhardt Fixes #58765 git-svn-id: https://develop.svn.wordpress.org/trunk@59831 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/theme-templates.php b/src/wp-includes/theme-templates.php
@@ -205,7 +205,7 @@ function wp_enqueue_block_template_skip_link() {
 		skipLink.classList.add( 'skip-link', 'screen-reader-text' );
 		skipLink.id = 'wp-skip-link';
 		skipLink.href = '#' + skipLinkTargetID;
-		skipLink.innerHTML = '<?php /* translators: Hidden accessibility text. */ esc_html_e( 'Skip to content' ); ?>';
+		skipLink.innerText = '<?php /* translators: Hidden accessibility text. Do not use HTML entities (&nbsp;, etc.). */ esc_html_e( 'Skip to content' ); ?>';
 
 		// Inject the skip link.
 		sibling.parentElement.insertBefore( skipLink, sibling );
