From 1b62c1af3a7844377fcc8e3e9d758dd8eda9af9b Mon Sep 17 00:00:00 2001
From: Weston Ruter <westonruter@google.com>
Date: Tue, 6 Aug 2024 14:48:55 -0700
Subject: [PATCH 1/3] Avoid sending Server-Timing header when buffer is being
 cleaned

---
 .../includes/server-timing/class-perflab-server-timing.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php b/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
index 56a6536a3a..a5c05c2f49 100644
--- a/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
+++ b/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
@@ -268,8 +268,11 @@ public function on_template_include( $passthrough = null ) {
 	 */
 	public function start_output_buffer(): void {
 		ob_start(
-			function ( $output ) {
-				$this->send_header();
+			function ( string $output, ?int $phase ): string {
+				// Only send the header when the buffer is not being cleaned.
+				if ( ( $phase & PHP_OUTPUT_HANDLER_CLEAN ) === 0 ) {
+					$this->send_header();
+				}
 				return $output;
 			}
 		);

From 26e859db06cb4254510869610644641e60c796ea Mon Sep 17 00:00:00 2001
From: Weston Ruter <westonruter@google.com>
Date: Tue, 6 Aug 2024 14:51:06 -0700
Subject: [PATCH 2/3] Fix passing arg name to _doing_it_wrong()

---
 .../includes/server-timing/class-perflab-server-timing.php    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php b/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
index a5c05c2f49..a6608df8a3 100644
--- a/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
+++ b/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
@@ -88,7 +88,7 @@ public function register_metric( string $metric_slug, array $args ): void {
 			_doing_it_wrong(
 				__METHOD__,
 				/* translators: %s: PHP parameter name */
-				sprintf( esc_html__( 'The %s argument is required and must be a callable.', 'performance-lab' ), esc_attr( $args['measure_callback'] ) ),
+				sprintf( esc_html__( 'The %s argument is required and must be a callable.', 'performance-lab' ), 'measure_callback' ),
 				''
 			);
 			return;
@@ -97,7 +97,7 @@ public function register_metric( string $metric_slug, array $args ): void {
 			_doing_it_wrong(
 				__METHOD__,
 				/* translators: %s: PHP parameter name */
-				sprintf( esc_html__( 'The %s argument is required and must be a string.', 'performance-lab' ), esc_attr( $args['access_cap'] ) ),
+				sprintf( esc_html__( 'The %s argument is required and must be a string.', 'performance-lab' ), 'access_cap' ),
 				''
 			);
 			return;

From 21ebb9744efdbfabbc022e37deb8128ed5bd5ac9 Mon Sep 17 00:00:00 2001
From: Weston Ruter <westonruter@google.com>
Date: Tue, 6 Aug 2024 14:56:41 -0700
Subject: [PATCH 3/3] Improve escaping output by wrapping entire string in
 esc_html()

---
 .../server-timing/class-perflab-server-timing.php         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php b/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
index a6608df8a3..3eed6ad703 100644
--- a/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
+++ b/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php
@@ -61,7 +61,7 @@ public function register_metric( string $metric_slug, array $args ): void {
 			_doing_it_wrong(
 				__METHOD__,
 				/* translators: %s: metric slug */
-				sprintf( esc_html__( 'A metric with the slug %s is already registered.', 'performance-lab' ), esc_attr( $metric_slug ) ),
+				esc_html( sprintf( __( 'A metric with the slug %s is already registered.', 'performance-lab' ), $metric_slug ) ),
 				''
 			);
 			return;
@@ -71,7 +71,7 @@ public function register_metric( string $metric_slug, array $args ): void {
 			_doing_it_wrong(
 				__METHOD__,
 				/* translators: %s: WordPress action name */
-				sprintf( esc_html__( 'The method must be called before or during the %s action.', 'performance-lab' ), 'perflab_server_timing_send_header' ),
+				esc_html( sprintf( __( 'The method must be called before or during the %s action.', 'performance-lab' ), 'perflab_server_timing_send_header' ) ),
 				''
 			);
 			return;
@@ -88,7 +88,7 @@ public function register_metric( string $metric_slug, array $args ): void {
 			_doing_it_wrong(
 				__METHOD__,
 				/* translators: %s: PHP parameter name */
-				sprintf( esc_html__( 'The %s argument is required and must be a callable.', 'performance-lab' ), 'measure_callback' ),
+				esc_html( sprintf( __( 'The %s argument is required and must be a callable.', 'performance-lab' ), 'measure_callback' ) ),
 				''
 			);
 			return;
@@ -97,7 +97,7 @@ public function register_metric( string $metric_slug, array $args ): void {
 			_doing_it_wrong(
 				__METHOD__,
 				/* translators: %s: PHP parameter name */
-				sprintf( esc_html__( 'The %s argument is required and must be a string.', 'performance-lab' ), 'access_cap' ),
+				esc_html( sprintf( __( 'The %s argument is required and must be a string.', 'performance-lab' ), 'access_cap' ) ),
 				''
 			);
 			return;