From acbd857a4c12a226f4b0b6d388e3817e2c62a173 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Fri, 22 Jul 2022 11:33:10 +0000
Subject: [PATCH] Administration: Correct the escaping in documentation lookup
 for plugin and theme editor.

This brings consistency to similar code fragments that evolved in slightly different ways over the years:

* A check that the list of functions is not empty now exists in both editors.
* "Function Name..." is an option label, not an attribute, so `esc_html__()` is the correct function here.
* `esc_attr( urlencode( $function ) )` in the theme editor is replaced with `esc_attr( $function )`.
* `htmlspecialchars( $function )` in the theme editor is replaced with `esc_html( $function )`.

Follow-up to [10607], [10879], [11110], [11173], [11204], [11671], [14989].

Props aristath, justinahinon, poena, audrasjb, pratiweb, SergeyBiryukov.
Fixes #56007.
Built from https://develop.svn.wordpress.org/trunk@53758


git-svn-id: http://core.svn.wordpress.org/trunk@53317 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/plugin-editor.php |  4 +++-
 wp-admin/theme-editor.php  | 14 +++++++++-----
 wp-includes/version.php    |  2 +-
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/wp-admin/plugin-editor.php b/wp-admin/plugin-editor.php
index 941a16ba97..e6804c671b 100644
--- a/wp-admin/plugin-editor.php
+++ b/wp-admin/plugin-editor.php
@@ -167,10 +167,12 @@ if ( '.php' === substr( $real_file, strrpos( $real_file, '.' ) ) ) {
 
 	if ( ! empty( $functions ) ) {
 		$docs_select  = '<select name="docs-list" id="docs-list">';
-		$docs_select .= '<option value="">' . __( 'Function Name&hellip;' ) . '</option>';
+		$docs_select .= '<option value="">' . esc_html__( 'Function Name&hellip;' ) . '</option>';
+
 		foreach ( $functions as $function ) {
 			$docs_select .= '<option value="' . esc_attr( $function ) . '">' . esc_html( $function ) . '()</option>';
 		}
+
 		$docs_select .= '</select>';
 	}
 }
diff --git a/wp-admin/theme-editor.php b/wp-admin/theme-editor.php
index eac1ce8dc5..863a5093c5 100644
--- a/wp-admin/theme-editor.php
+++ b/wp-admin/theme-editor.php
@@ -164,12 +164,16 @@ if ( ! empty( $posted_content ) ) {
 	if ( '.php' === substr( $file, strrpos( $file, '.' ) ) ) {
 		$functions = wp_doc_link_parse( $content );
 
-		$docs_select  = '<select name="docs-list" id="docs-list">';
-		$docs_select .= '<option value="">' . esc_attr__( 'Function Name&hellip;' ) . '</option>';
-		foreach ( $functions as $function ) {
-			$docs_select .= '<option value="' . esc_attr( urlencode( $function ) ) . '">' . htmlspecialchars( $function ) . '()</option>';
+		if ( ! empty( $functions ) ) {
+			$docs_select  = '<select name="docs-list" id="docs-list">';
+			$docs_select .= '<option value="">' . esc_html__( 'Function Name&hellip;' ) . '</option>';
+
+			foreach ( $functions as $function ) {
+				$docs_select .= '<option value="' . esc_attr( $function ) . '">' . esc_html( $function ) . '()</option>';
+			}
+
+			$docs_select .= '</select>';
 		}
-		$docs_select .= '</select>';
 	}
 
 	$content = esc_textarea( $content );
diff --git a/wp-includes/version.php b/wp-includes/version.php
index cd5b8ef752..f068ae9cc4 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.1-alpha-53757';
+$wp_version = '6.1-alpha-53758';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.