From 90ad63f2ce44f2933820ad2f589b369ee8f4723e Mon Sep 17 00:00:00 2001
From: Jake Spurlock <whyisjake@git.wordpress.org>
Date: Fri, 15 Nov 2019 23:22:19 +0000
Subject: [PATCH] Toolbar: Properly escape the onclick attribute.

The onclick attribute was being escaped twice, once with `esc_js` and again with `esc_attr`.

Fixes #48117.
Props tmatsuur, dinhtungdu.



git-svn-id: https://develop.svn.wordpress.org/trunk@46734 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/class-wp-admin-bar.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/class-wp-admin-bar.php b/src/wp-includes/class-wp-admin-bar.php
index ce1464e125..69021f527b 100644
--- a/src/wp-includes/class-wp-admin-bar.php
+++ b/src/wp-includes/class-wp-admin-bar.php
@@ -550,16 +550,19 @@ class WP_Admin_Bar {
 		if ( $has_link ) {
 			$attributes = array( 'onclick', 'target', 'title', 'rel', 'lang', 'dir' );
 			echo "<a class='ab-item'$aria_attributes href='" . esc_url( $node->href ) . "'";
-			if ( ! empty( $node->meta['onclick'] ) ) {
-				echo ' onclick="' . esc_js( $node->meta['onclick'] ) . '"';
-			}
 		} else {
 			$attributes = array( 'onclick', 'target', 'title', 'rel', 'lang', 'dir' );
 			echo '<div class="ab-item ab-empty-item"' . $aria_attributes;
 		}
 
 		foreach ( $attributes as $attribute ) {
-			if ( ! empty( $node->meta[ $attribute ] ) ) {
+			if ( empty( $node->meta[ $attribute ] ) ) {
+				continue;
+			}
+
+			if ( 'onclick' === $attribute ) {
+				echo " $attribute='" . esc_js( $node->meta[ $attribute ] ) . "'";
+			} else {
 				echo " $attribute='" . esc_attr( $node->meta[ $attribute ] ) . "'";
 			}
 		}