Correct way of using esc_attr() and esc_html()

Escaping is all about eliminating the need for trust or “it should be an XYZ” and instead guaranteeing it by force that “it will always be an XYZ”. It’s like a cookie cutter, everything will be that shape at the end even if it’s not cookie dough.

esc_attr

The official docs contain the answer:

When a variable is used as part of an attribute or url, it is always better to escape the whole string as that way a potential escape character just before the variable will be correctly escaped.

Escaping is all about context, so by concealing context from esc_attr you’re reducing its effectiveness. Don’t escape portions of an attribute, escape the entire attribute, and do it at the moment of output.

esc_attr is for escaping an attribute, the entire attribute. You can’t use it to partially escape sub-sections of an attribute because that’s not what it’s intended for, and it would be a misuse.

This is for the same reason you cannot use esc_url on sub-sections of a URL, esc_url always outputs a full URL. Without the context of the full URL it’s not possible to correctly escape it without potentially dangerous things leaking through, or malformed URLs that could be dangerous leaking out.

esc_html

esc_html guarantees that a string will not contain HTML tags, and it does this by escaping them so that they are printed out to the user rather than processed and executed by the browser.

Is this approach correct? I specifically meant this part: … esc_html__(‘Setup and Help’, ‘my-plugin’) . ‘ <i …

Yes! You may find some people consider escaping language strings unnecessary or overzealous, but language files and filters can be used as an attack vector and you’re protecting yourself by doing this.

If you know that string should never contain HTML, then escaping can provide some guarantees of that.

In General

Escaping is all about enforcing expectations. esc_html and esc_attr are intended for different purposes. Escaping isn’t a magic thing you apply to stuff universally, it’s ultra specific to the context and use, that’s why we don’t have a general escape function but instead have specific functions such as esc_html/esc_textarea/esc_attr/esc_url/wp_kses_post/strip_tags etc

“This variable contains a URL, and now that I’ve used esc_url it will be a URL even if you put something in there that isn’t. The result might be garbled junk but that junk is a URL.”

So don’t pick and choose or apply partially. If you want to escape a string, escape the entire string. Partially escaping might seem prudent but it’s a mistake and a way for things to leak through.

  • escape once

    double escaping is bad and carefully crafted content can use that to break through and expose malicious data. Be clear about which code is responsible for escaping, and make sure that code is also the code that prints it out

  • escape late

    Don’t assign escaped values to variables, those variables can be modified and made unsafe after escaping, and it encourages accidental double escaping.

  • escape often

    Escape all the things that you can, and do it in full. Even if you thought that the partial escaping should be fine, why trust that? Guarantee and say with 100% certainty that it will be fine by escaping the entire thing as one unit.

    • also does it really make sense to litter your code with lots of tiny esc_attr calls in every attribute when 1 will do the job?

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. What characters must be escaped in HTML 5?
  3. How can I selectively escape percent (%) in Python strings?
  4. How do I escape a single quote in jQuery?
  5. Escape Character in SQL Server
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. How to correctly escape query variables to be used in WP_Query
  10. esc_attr / esc_html / esc_url in echos
  11. When do I need to use esc_html()? [duplicate]
  12. what’s different between esc_attr, htmlspecialchars and htmlentities
  13. Allow all attributes in $allowedposttags tags
  14. When outputting a static string to the page, is it necessary to escape the output?
  15. How Flexible are the WordPress Coding Standards for PHPCS?
  16. why is esc_html() returning nothing given a string containing a high-bit character?
  17. How to properly escape a translated string?
  18. Translate a Constant while appeasing WordPress PHPCS
  19. Using esc_url() on a url more than once
  20. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  21. How to allow &nbsp with wp_kses()?
  22. Using esc_attr_e
  23. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  24. Escaping crashes my output
  25. How to safely escape the title attribute
  26. How to safely escape data that contains HTML attributes
  27. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  28. Echoing a URL to a link
  29. wp_kses_post escaping doesn’t appear to work as described?
  30. file_get_contents | escaping doesnt show the page
  31. Help about Escaping
  32. How to keep specific tag from an html string?
  33. Escaping Issues
  34. Escaping and Special Characters (e.g. &)
  35. Escaping get_option( ‘time_format’ ) is nesserary?
  36. How should esc_url be combined with trailingslashit?
  37. Uses for the ‘"’ entity in HTML
  38. How can I add ” character to a multi line string declaration in C#?
  39. Escape quotes in JavaScript
  40. How is \\n and \\\n interpreted by the expanded regular expression?
  41. Why shouldn’t `'` be used to escape single quotes?
  42. What does it mean to escape a string?
  43. Escaping HTML strings with jQuery
  44. What’s the Use of ‘\r’ escape sequence?
  45. How do I escape ampersands in XML so they are rendered as entities in HTML?
  46. Unrecognized escape sequence for path string containing backslashes
  47. What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
  48. Should I escape wordpress functions like the_title, the_excerpt, the_content
  49. What is the difference between esc_html filter vs attribute_escape filter?
  50. Sanitize and data validation with apply_filters() function
  51. How to print translation supported text with HTML URL
  52. How do translated, escaped strings (esc_attr) in Themes work?
  53. Escaping WP_Query tax_query when term has special character(s)
  54. Do I need to escape data passed to wp_localize_script()?
  55. how to escape wp_oembed_get for phpcs
  56. How to escape html code with html allowed
  57. esc before saving or before displaying does it matter?
  58. Updating a post without escaping ampersands?
  59. Escape hexadecimals/rgba values
  60. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  61. wp_specialchars and wp_specialchars_decode in a shortcode plugin
  62. Must I serialize/sanitize/escape array data before using set_transient?
  63. I am not understandinhg $wpdb->prepare correctly
  64. esc_attr not working in shortcode
  65. meta_query works locally but not on live server
  66. How do I escape a table name or column name in SQL? esc_sql doesn’t do this
  67. Sanitizing, Validating and Escaping in WordPress (Plugin)
  68. Escaping / encoding data before insert into a database?
  69. Escape when echoed
  70. How to sanitize user input?
  71. Should I always prefer esc_attr_e & esc_html_e instead of _e?
  72. Does balanceTags() provide any escaping / protection?
  73. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  74. Is it necessary to escape LIKE term in WP_User_Query?
  75. Post Content, Special Characters and Filters
  76. Updating post data on save (save_post vs wp_insert_post_data)
  77. What is the safe way to print tracking code / pixel code before tag or tag
  78. How to escape attachment image caption text?
  79. mysql_real_escape_string() vs. esc_sql() in WordPress
  80. How to escape multiple attribute at once in WordPress?
  81. Trouble inserting string containing quotations marks with wpdb in save_post hook
  82. How to be escape Variables and options when echo?
  83. Why would you use esc_attr() on internal functions?
  84. How to safely return the HTML?
  85. product description text displays above website when in shop page [closed]
  86. how can i send this to wp_head – escape problem
  87. Should I escape the html for the settings field created with add_settings_field?
  88. how to unescape wordpress output
  89. How to use wp_filter_oembed_result?
  90. Escaping a WPDB Object in One Shot
  91. Escaping html for meta description
  92. Render the metabox input values as HTML
  93. Escaping WP_Query tax_query when term has special character(s)
  94. Where is escaped the shortcode?
  95. Escaping a shortcode so it displays as-is [duplicate]
  96. problem with quotes on new post
  97. Using `esc_attr( get_block_wrapper_attributes() )`, results in `class=””wp-block-foo””`
  98. Escaping data from database (users table) is necessary?
  99. esc_url, esc_url_raw or sanitize_url?
  100. how to escape alert/window.location.replace with variable
deneme bonusudeneme bonusu veren sitelerpulibet girişOnwin Güncel Giriştürkçe altyazılı pornocanlı bahis casino