Skip to content

fix: escape calendar item action link hrefs with esc_url() and link text with esc_html__()#1016

Open
thisismyurl wants to merge 8 commits into
Automattic:developfrom
thisismyurl:fix/calendar-item-action-link-escaping
Open

fix: escape calendar item action link hrefs with esc_url() and link text with esc_html__()#1016
thisismyurl wants to merge 8 commits into
Automattic:developfrom
thisismyurl:fix/calendar-item-action-link-escaping

Conversation

@thisismyurl

Copy link
Copy Markdown
Contributor

`EF_Calendar::get_inner_information()` builds five action links for each calendar item — Edit, Trash, Preview, View, and Save. Three of those hrefs came from functions that return plain URLs (`get_edit_post_link()`, `get_delete_post_link()`, `get_permalink()`), and all five link text strings used `__()` directly. Neither set went through an escape function.

PR #993 made the same fix for `story-budget.php`; the calendar module's `item_actions` block was the parallel section that was missed.

This PR wraps the three hrefs in `esc_url()` and changes all five link-text calls to `esc_html__()`. The Preview branch already had `esc_url()` on its href — only the link text needed updating there.

The new test class `CalendarEscapingTest` injects a URL with a bare `&` via a WordPress filter (`get_edit_post_link`, `post_link`) and asserts the output contains `&` (what `esc_url()` produces for `&`) rather than the raw `&`. A separate assertion confirms no raw `&` survives in any href attribute. `test_calendar_view_link_href_is_url_escaped` uses a published post so `get_permalink()` is the active code path (not the preview branch). The trash link is omitted from integration coverage because `get_delete_post_link()` routes through `wp_nonce_url()` which pre-encodes `&` as `&` — an integration test for that path cannot distinguish "esc_url() ran" from "wp_nonce_url() pre-encoded the value."

Tests reviewed by inspection; not executed locally (no integration harness in my environment) — relying on CI for the first run.

No visual or interaction change; escaping only, link text and structure unchanged, no a11y impact.

(props @thisismyurl)

(full disclosure: AI helped me identify the issue and verify my work)

@thisismyurl
thisismyurl requested a review from a team as a code owner June 22, 2026 12:54
@GaryJones

Copy link
Copy Markdown
Contributor

Reviewed — fix is correct, CI green. The escaping is right and the mutation-style tests (assert &, deny raw &) are a solid regression guard; good call documenting why the trash path can't be covered at the integration layer.

One scope question: the item_actions block is fully handled, but two other spots still pass a URL into an href without esc_url()calendar.php:110 and story-budget.php:105, both admin_url() inside a translated short_description. They're static/safe so not blocking, but if this is meant to close out the escaping sweep rather than just this block, worth folding in (here or a follow-up).

…et registrations

Folds in the two remaining admin_url()-in-href spots flagged in review,
closing out the escaping sweep for this module surface.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 13, 2026 14:17
@thisismyurl

Copy link
Copy Markdown
Contributor Author

Thanks @GaryJones — folded both in (63b1e7d). calendar.php and story-budget.php now wrap their admin_url() short-description hrefs with esc_url(), and the changelog has a matching entry. That should close out the escaping sweep for this surface rather than leaving a follow-up dangling.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens output escaping in the Calendar module’s per-item action links and in module “short_description” admin links, and adds integration coverage to prevent regressions in calendar item action link escaping.

Changes:

  • Escape Calendar item action link href values with esc_url() and action link text with esc_html__() in EF_Calendar::get_inner_information().
  • Escape admin_url()-based links embedded in the Calendar and Story Budget module short descriptions.
  • Add a new integration test (CalendarEscapingTest) to assert href URLs are escaped (specifically, bare & becomes &#038;).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
modules/calendar/calendar.php Escapes calendar action link URLs and link text; escapes module short-description URL.
modules/story-budget/story-budget.php Escapes the short-description link URL with esc_url().
tests/Integration/CalendarEscapingTest.php New regression test for calendar action link URL escaping.
CHANGELOG.md Adds Unreleased security notes documenting these escaping fixes.

Comment on lines +115 to +130
add_filter(
'post_link',
static function () {
return 'http://example.com/?p=1&preview=true';
}
);

ob_start();
$edit_flow->calendar->get_inner_information(
$edit_flow->calendar->get_post_information_fields( $post ),
$post
);
$html = ob_get_clean();

remove_all_filters( 'post_link' );

Comment on lines +65 to +82
// Inject a URL with a bare & so we can assert esc_url() encoding.
// esc_url() converts & to &#038; (numeric entity), not &amp;.
add_filter(
'get_edit_post_link',
static function () {
return 'http://example.com/wp-admin/post.php?post=1&action=edit';
}
);

ob_start();
$edit_flow->calendar->get_inner_information(
$edit_flow->calendar->get_post_information_fields( $post ),
$post
);
$html = ob_get_clean();

remove_all_filters( 'get_edit_post_link' );

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants