From 58bb4b79ca8542d933cae26eafce32415fe5f8b8 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Wed, 20 Sep 2023 09:45:51 +0000
Subject: [PATCH] Coding Standards: Escape the whole attribute in
 `wp-admin/export.php`.

It is best to always escape the complete value of an attribute, not a partial value, as otherwise the escaping could be (partially) undone when the values are joined together.

While the hardcoded hyphen in this case don't necessarily create that risk, it may change to a value which could be problematic, so making it a habit to escape the value in one go is best practice.

Escaping the complete value also means that a single `esc_attr()` call can be used instead of two.

Follow-up to [14444], [16652], [55616], [56632].

See #58831.

git-svn-id: https://develop.svn.wordpress.org/trunk@56633 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/export.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/wp-admin/export.php b/src/wp-admin/export.php
index 1955f2b42e761..7f1dd43445624 100644
--- a/src/wp-admin/export.php
+++ b/src/wp-admin/export.php
@@ -160,7 +160,12 @@ function export_date_options( $post_type = 'post' ) {
 		}
 
 		$month = zeroise( $date->month, 2 );
-		echo '<option value="' . esc_attr( $date->year ) . '-' . esc_attr( $month ) . '">' . $wp_locale->get_month( $month ) . ' ' . $date->year . '</option>';
+
+		printf(
+			'<option value="%1$s">%2$s</option>',
+			esc_attr( $date->year . '-' . $month ),
+			$wp_locale->get_month( $month ) . ' ' . $date->year
+		);
 	}
 }
 ?>