From 305d8c26c1b4de8cc4600811e969385051cee021 Mon Sep 17 00:00:00 2001
From: Weston Ruter <westonruter@google.com>
Date: Wed, 3 Mar 2021 13:01:12 -0800
Subject: [PATCH 1/3] Sanitize keys in server-timing instead of adding slashes

---
 src/Instrumentation/Event.php        | 16 +++++++++++++---
 src/Instrumentation/ServerTiming.php |  2 +-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/Instrumentation/Event.php b/src/Instrumentation/Event.php
index 2e728e46434..3cf0c92f3c3 100644
--- a/src/Instrumentation/Event.php
+++ b/src/Instrumentation/Event.php
@@ -96,6 +96,16 @@ public function add_properties( $properties ) {
 		}
 	}
 
+	/**
+	 * Sanitize key.
+	 *
+	 * @param string $key Unsanitized key.
+	 * @return string Sanitized key.
+	 */
+	private function sanitize_key( $key ) {
+		return preg_replace( '/\W+/', '_', $key );
+	}
+
 	/**
 	 * Get the server timing header string.
 	 *
@@ -108,19 +118,19 @@ public function get_header_string() {
 			if ( is_float( $value ) ) {
 				$property_strings[] = sprintf(
 					';%s="%.1f"',
-					addslashes( $property ),
+					$this->sanitize_key( $property ),
 					$value
 				);
 			} else {
 				$property_strings[] = sprintf(
 					';%s="%s"',
-					addslashes( $property ),
+					$this->sanitize_key( $property ),
 					addslashes( $value )
 				);
 			}
 		}
 
-		$event_string = addslashes( $this->get_name() );
+		$event_string = $this->sanitize_key( $this->get_name() );
 
 		$description = $this->get_description();
 		if ( ! empty( $description ) ) {
diff --git a/src/Instrumentation/ServerTiming.php b/src/Instrumentation/ServerTiming.php
index a67840eed95..bf626c17520 100644
--- a/src/Instrumentation/ServerTiming.php
+++ b/src/Instrumentation/ServerTiming.php
@@ -158,7 +158,7 @@ public function get_header_string() {
 		return implode(
 			',',
 			array_map(
-				static function ( $event ) {
+				static function ( Event $event ) {
 					return $event->get_header_string();
 				},
 				$this->events

From e36ed871773415c665b146d4633251f6762f2c67 Mon Sep 17 00:00:00 2001
From: Weston Ruter <westonruter@google.com>
Date: Wed, 3 Mar 2021 13:30:29 -0800
Subject: [PATCH 2/3] Allow hyphens in Server-Timing keys

---
 src/Instrumentation/Event.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Instrumentation/Event.php b/src/Instrumentation/Event.php
index 3cf0c92f3c3..1ba30d7e77a 100644
--- a/src/Instrumentation/Event.php
+++ b/src/Instrumentation/Event.php
@@ -103,7 +103,7 @@ public function add_properties( $properties ) {
 	 * @return string Sanitized key.
 	 */
 	private function sanitize_key( $key ) {
-		return preg_replace( '/\W+/', '_', $key );
+		return preg_replace( '/[^a-zA-Z0-9_-]+/', '_', $key );
 	}
 
 	/**

From db0ddd22098916e26956a70c3e8778833486623a Mon Sep 17 00:00:00 2001
From: Weston Ruter <westonruter@google.com>
Date: Thu, 4 Mar 2021 10:16:07 -0800
Subject: [PATCH 3/3] Add explanation for what sanitization entails

Co-authored-by: Alain Schlesser <alain.schlesser@gmail.com>
---
 src/Instrumentation/Event.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Instrumentation/Event.php b/src/Instrumentation/Event.php
index 1ba30d7e77a..891d19810d9 100644
--- a/src/Instrumentation/Event.php
+++ b/src/Instrumentation/Event.php
@@ -97,7 +97,7 @@ public function add_properties( $properties ) {
 	}
 
 	/**
-	 * Sanitize key.
+	 * Sanitize key to use it for an HTTP header label (alphanumeric and dashes/underscores only).
 	 *
 	 * @param string $key Unsanitized key.
 	 * @return string Sanitized key.