Fix: Prevent empty markup when site title or description is empty

[Sukhendu2002]

Trac ticket: https://core.trac.wordpress.org/ticket/44656

---

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• The Plugin and Theme Directories cannot be accessed within Playground.
• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props sukhendu2002, sirlouen, joedolson, sabernhardt.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[SirLouen]

I understand that you were taking the @audrasjb first proposal, which is not wrong at all, but can be a little improved.
And after reviewing all my proposed changes, someone could say:

But not empty is a safer choice than full

And its true, but let's not forget that the incoming variables are variables coming from the database, variables that have been sanitized to death. It's not like a first variable coming from a mixed input parameter that we should take extra caution.

[SirLouen]

Some additional changes provided in almost all files to improve final code quality, give it a check.

[joedolson]

As is, this patch introduces security vulnerabilities. bloginfo() internally calls get_bloginfo() with the filter argument set to display, which executes esc_html on the output. But if you call get_bloginfo() directly, the output is fetched raw, and is not safe.

You can either add the display argument to all get_bloginfo() calls or add late escaping to the resulting variables; either would fix the issue.

[sabernhardt]

The display filter in bloginfo() ran the name and description through wptexturize and convert_chars in addition to esc_html.

In the event that filtering might empty the string, adding display in the variable could help:

$site_name        = get_bloginfo( 'name', 'display' );
$site_description = get_bloginfo( 'description', 'display' );

PHPCS might complain about <?php echo $site_name; ?>, but the PR passes the coding standards GitHub action. I would prefer not to add the phpcs:ignore comments.

[github-actions]

A commit was made that fixes the Trac ticket referenced in the description of this pull request.

SVN changeset: 60483
GitHub commit: d71b1d8

This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.