Skip to content

fix WordPress.Security.EscapeOutput.OutputNotEscaped errors #776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
masteradhoc wants to merge 5 commits into
base: master
Choose a base branch
from
Open

fix WordPress.Security.EscapeOutput.OutputNotEscaped errors #776

masteradhoc wants to merge 5 commits into from
+16 −14

Conversation

@masteradhoc
Copy link
Contributor

@masteradhoc masteradhoc commented Feb 1, 2026

Fixes #775

What?

Fixes WordPress Coding Standards (PHPCS) violations related to unescaped output in class-two-factor-core.php by properly escaping all localized and dynamic output.

Why?

The Two-Factor plugin was triggering WordPress.Security.EscapeOutput.OutputNotEscaped errors when running PHPCS. Several localized strings and formatted values (_n(), number_format_i18n(), human_time_diff(), and __()) were output directly without context-appropriate escaping. This violates WordPress security and coding standards and may block releases or CI checks.

How?

implement the correct escape functions

Testing Instructions

  1. trigger plugin check on newest version of two-factor
  2. apply changes
  3. see if the OutputNotEscaped errors still show up

Changelog Entry

Fixed – Properly escaped localized output to comply with WordPress security and coding standards.

@github-actions
Copy link

github-actions bot commented Feb 1, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: kasparsd <kasparsd@git.wordpress.org>
Co-authored-by: sjinks <volodymyrkolesnykov@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

kasparsd
kasparsd reviewed Feb 2, 2026
View reviewed changes
@jeffpaul jeffpaul added this to the 0.15.0 milestone Feb 2, 2026
kasparsd
kasparsd reviewed Feb 9, 2026
View reviewed changes
Copy link
Collaborator

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears that WP core isn't passing these wp_die() strings through esc_html__() and use __() instead.

Should we keep it consistent with core?

@masteradhoc
Copy link
Contributor Author

masteradhoc commented Feb 9, 2026
edited
Loading

It appears that WP core isn't passing these wp_die() strings through esc_html__() and use __() instead.

Should we keep it consistent with core?

We use this a few times throughout the plugin. Shall we adjust all of this?

Then we'll probably have to add this as well ahead so we dont get the issues like #775 anymore.
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

sjinks
sjinks reviewed Feb 9, 2026
View reviewed changes
class-two-factor-core.php
$provider = self::get_provider_for_user( $user, $provider );
if ( ! $provider ) {
wp_die( __( 'Cheatin&#8217; uh?', 'two-factor' ) );
wp_die( __( 'Two-factor provider not available for this user.', 'two-factor' ) );
Copy link
Contributor

@sjinks sjinks Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
wp_die( __( 'Two-factor provider not available for this user.', 'two-factor' ) );
wp_die( esc_html__( 'Two-factor provider not available for this user.', 'two-factor' ) );

I think we still need to escape these translations: PHPCS still complains.

sjinks
sjinks reviewed Feb 9, 2026
View reviewed changes
class-two-factor-core.php
$login_nonce = self::create_login_nonce( $user->ID );
if ( ! $login_nonce ) {
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );
wp_die( __( 'Failed to create a login nonce.', 'two-factor' ) );
Copy link
Contributor

@sjinks sjinks Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
wp_die( __( 'Failed to create a login nonce.', 'two-factor' ) );
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );

sjinks
sjinks reviewed Feb 9, 2026
View reviewed changes
class-two-factor-core.php
$provider = self::get_provider_for_user( $user, $provider );
if ( ! $provider ) {
wp_die( __( 'Cheatin&#8217; uh?', 'two-factor' ) );
wp_die( __( 'Two-factor provider not available for this user.', 'two-factor' ) );
Copy link
Contributor

@sjinks sjinks Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
wp_die( __( 'Two-factor provider not available for this user.', 'two-factor' ) );
wp_die( esc_html__( 'Two-factor provider not available for this user.', 'two-factor' ) );

sjinks
sjinks reviewed Feb 9, 2026
View reviewed changes
class-two-factor-core.php
$login_nonce = self::create_login_nonce( $user->ID );
if ( ! $login_nonce ) {
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );
wp_die( __( 'Failed to create a login nonce.', 'two-factor' ) );
Copy link
Contributor

@sjinks sjinks Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
wp_die( __( 'Failed to create a login nonce.', 'two-factor' ) );
wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) );

sjinks
sjinks reviewed Feb 9, 2026
View reviewed changes
class-two-factor-core.php
$provider = self::get_provider_for_user( $user, $provider );
if ( ! $provider ) {
wp_die( __( 'Cheatin&#8217; uh?', 'two-factor' ) );
wp_die( __( 'Two-factor provider not available for this user.', 'two-factor' ) );
Copy link
Contributor

@sjinks sjinks Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
wp_die( __( 'Two-factor provider not available for this user.', 'two-factor' ) );
wp_die( esc_html__( 'Two-factor provider not available for this user.', 'two-factor' ) );

sjinks
sjinks reviewed Feb 9, 2026
View reviewed changes
class-two-factor-core.php
return new WP_Error(
'two_factor_provider_missing',
__( 'Cheatin&#8217; uh?', 'two-factor' )
__( 'Two-factor provider not available for this user.', 'two-factor' )
Copy link
Contributor

@sjinks sjinks Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
__( 'Two-factor provider not available for this user.', 'two-factor' )
esc_html__( 'Two-factor provider not available for this user.', 'two-factor' )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kasparsd kasparsd Awaiting requested review from kasparsd

1 more reviewer

@sjinks sjinks sjinks approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@masteradhoc masteradhoc

Labels

None yet

Projects

None yet

Milestone

0.15.0

Development

Successfully merging this pull request may close these issues.

class-two-factor-core.php: WordPress.Security.EscapeOutput.OutputNotEscaped

4 participants

@masteradhoc @kasparsd @sjinks @jeffpaul