Coding Standards: Improve escaping in `wp_login_form()`.

* Split long concatenated lines using `sprintf()`. This aims to improve readability and avoid multiple `esc_attr()` calls for the same value.
* Escape the form `name` and `id` attributes.

Follow-up to [12696], [18444], [19033].

Props sabbirshouvo, mukesh27, audrasjb, henry.wright, SergeyBiryukov.
Fixes #54279.
Built from https://develop.svn.wordpress.org/trunk@51926


git-svn-id: http://core.svn.wordpress.org/trunk@51519 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/general-template.php

@@ -576,25 +576,50 @@ function wp_login_form( $args = array() ) {
 	 */
 	$login_form_bottom = apply_filters( 'login_form_bottom', '', $args );
 
-	$form = '
-		<form name="' . $args['form_id'] . '" id="' . $args['form_id'] . '" action="' . esc_url( site_url( 'wp-login.php', 'login_post' ) ) . '" method="post">
-			' . $login_form_top . '
-			<p class="login-username">
-				<label for="' . esc_attr( $args['id_username'] ) . '">' . esc_html( $args['label_username'] ) . '</label>
-				<input type="text" name="log" id="' . esc_attr( $args['id_username'] ) . '" class="input" value="' . esc_attr( $args['value_username'] ) . '" size="20" />
-			</p>
-			<p class="login-password">
-				<label for="' . esc_attr( $args['id_password'] ) . '">' . esc_html( $args['label_password'] ) . '</label>
-				<input type="password" name="pwd" id="' . esc_attr( $args['id_password'] ) . '" class="input" value="" size="20" />
-			</p>
-			' . $login_form_middle . '
-			' . ( $args['remember'] ? '<p class="login-remember"><label><input name="rememberme" type="checkbox" id="' . esc_attr( $args['id_remember'] ) . '" value="forever"' . ( $args['value_remember'] ? ' checked="checked"' : '' ) . ' /> ' . esc_html( $args['label_remember'] ) . '</label></p>' : '' ) . '
-			<p class="login-submit">
-				<input type="submit" name="wp-submit" id="' . esc_attr( $args['id_submit'] ) . '" class="button button-primary" value="' . esc_attr( $args['label_log_in'] ) . '" />
-				<input type="hidden" name="redirect_to" value="' . esc_url( $args['redirect'] ) . '" />
-			</p>
-			' . $login_form_bottom . '
-		</form>';
+	$form =
+		sprintf(
+			'<form name="%1$s" id="%1$s" action="%2$s" method="post">',
+			esc_attr( $args['form_id'] ),
+			esc_url( site_url( 'wp-login.php', 'login_post' ) )
+		) .
+		$login_form_top .
+		sprintf(
+			'<p class="login-username">
+				<label for="%1$s">%2$s</label>
+				<input type="text" name="log" id="%1$s" class="input" value="%3$s" size="20" />
+			</p>',
+			esc_attr( $args['id_username'] ),
+			esc_html( $args['label_username'] ),
+			esc_attr( $args['value_username'] )
+		) .
+		sprintf(
+			'<p class="login-password">
+				<label for="%1$s">%2$s</label>
+				<input type="password" name="pwd" id="%1$s" class="input" value="" size="20" />
+			</p>',
+			esc_attr( $args['id_password'] ),
+			esc_html( $args['label_password'] )
+		) .
+		$login_form_middle .
+		( $args['remember'] ?
+			sprintf(
+				'<p class="login-remember"><label><input name="rememberme" type="checkbox" id="%1$s" value="forever"%2$s /> %3$s</label></p>',
+				esc_attr( $args['id_remember'] ),
+				( $args['value_remember'] ? ' checked="checked"' : '' ),
+				esc_html( $args['label_remember'] )
+			) : ''
+		) .
+		sprintf(
+			'<p class="login-submit">
+				<input type="submit" name="wp-submit" id="%1$s" class="button button-primary" value="%2$s" />
+				<input type="hidden" name="redirect_to" value="%3$s" />
+			</p>',
+			esc_attr( $args['id_submit'] ),
+			esc_attr( $args['label_log_in'] ),
+			esc_url( $args['redirect'] )
+		) .
+		$login_form_bottom .
+		'</form>';
 
 	if ( $args['echo'] ) {
 		echo $form;

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.9-alpha-51925';
+$wp_version = '5.9-alpha-51926';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.