Do I need to escape data passed to wp_localize_script()?

As far as I know wp_localize_script doesn’t escape data any more than is necessary to produce valid JSON, and everything is sent as a string. The function was originally designed to allow translating the strings used in your JS into other languages (hence the “localize” part of the function name). So if the data you’re passing is coming from a user input or is otherwise user-generated then you’ll definitely want to escape it.

Related Posts:

  1. Multiple wp_localize_script
  2. wp_localized_script is not defined when called via jquey ajax
  3. Use wp_localize_script for non existing script
  4. How do you pass a boolean value to wp_localize_script [duplicate]
  5. Pass multiple PHP variables to JS in Options Page
  6. How to get the post ID when creating JS variables with localize_script
  7. Localization of JavaScript which is only used in one page
  8. Find out if enqueued script uses wp_localize_script?
  9. Using wp_localize_scripts
  10. How do I pass the template url to javascript in the ADMIN area of my theme?
  11. wp_localize_script no longer working after 5.5 update
  12. How can I get variable from php function and use it in wp_localize_script?
  13. wp localize script is not working in a custom AJAX request
  14. Using template tags in external JS file
  15. Issue with wp_localize_script
  16. Translate string with wp_localize_script()
  17. What about Deferring a localized script?
  18. help with wp_localize_script
  19. Is there a way to know the name of all variables passed by wp_localize_script?
  20. How to define variables in WordPress AJAX?
  21. Uses for the ‘"’ entity in HTML
  22. How can I add ” character to a multi line string declaration in C#?
  23. Escape quotes in JavaScript
  24. How is \\n and \\\n interpreted by the expanded regular expression?
  25. Why shouldn’t `'` be used to escape single quotes?
  26. What’s the Use of ‘\r’ escape sequence?
  27. Unrecognized escape sequence for path string containing backslashes
  28. What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
  29. Should HTML output be passed through esc_html() AND wp_kses()?
  30. How to intercept already localized scripts
  31. What is the difference between esc_html filter vs attribute_escape filter?
  32. How to print translation supported text with HTML URL
  33. What is the correct way to build a widget using OOP
  34. Creating Multiple wp_localize_script for Shortcode?
  35. How do translated, escaped strings (esc_attr) in Themes work?
  36. w3 total cache minification breaks wp_localize_script() [closed]
  37. How to escape html code with html allowed
  38. esc before saving or before displaying does it matter?
  39. Updating a post without escaping ampersands?
  40. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  41. wp_specialchars and wp_specialchars_decode in a shortcode plugin
  42. Sanitizing comments or escaping comment_text()
  43. How to properly escape a translated string?
  44. Setting HTML properties in a Gutenberg plugin using WordPress settings
  45. I am not understandinhg $wpdb->prepare correctly
  46. Nonces, AJAX, script variables & security in WordPress
  47. meta_query works locally but not on live server
  48. Wp_localize_script from Shortcode [closed]
  49. Sanitizing, Validating and Escaping in WordPress (Plugin)
  50. wp_localize_script and host/browser cache
  51. Escape when echoed
  52. Should I always prefer esc_attr_e & esc_html_e instead of _e?
  53. How can I output a php value into a JS file within WordPress?
  54. Different uniqid when calld in wp_localize_script and shortcode
  55. Script Localization doesn’t work
  56. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  57. Is it necessary to escape LIKE term in WP_User_Query?
  58. Post Content, Special Characters and Filters
  59. Enqueue scripts all over but not in single.php
  60. Updating post data on save (save_post vs wp_insert_post_data)
  61. What is the safe way to print tracking code / pixel code before tag or tag
  62. mysql_real_escape_string() vs. esc_sql() in WordPress
  63. Path to image in js with wp_localize_script [closed]
  64. Escaping crashes my output
  65. How to escape multiple attribute at once in WordPress?
  66. Trouble inserting string containing quotations marks with wpdb in save_post hook
  67. How to be escape Variables and options when echo?
  68. Is there any solution, ide/tool etc., for automatic escaping for WordPress?
  69. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  70. issue in wp_localize_script
  71. Localize script not working in ajax
  72. product description text displays above website when in shop page [closed]
  73. wp_localize_script not passing the data
  74. How to load dynamic option with ajax
  75. Getting jQuery AJAX to work in WordPress (getting -1)
  76. wp_enqueue_script calling jQuery at different times for different browsers?
  77. how can i send this to wp_head – escape problem
  78. Get localize of a loaded javascript
  79. wp_kses_post escaping doesn’t appear to work as described?
  80. How to Object.freeze wp_localize_script
  81. Get with jQuery the value of an ACF field
  82. how to unescape wordpress output
  83. Help about Escaping
  84. How to use wp_filter_oembed_result?
  85. localize_script or rest api
  86. I can’t load my images from a js file using wp_localize_script
  87. bundled jquery in theme js not working with wp_localize_script
  88. Frontend AJAX Request causes Error: ‘Call to undefined function add_action’
  89. wp localize script makes variable global, how to solve that?
  90. Multiple shortcodes only use attributes from one of the shortcodes on custom plugin
  91. How to get, in WP page’s script, a wp enqueued script (in Functions.php)?
  92. Render the metabox input values as HTML
  93. Pass list of categories to JS
  94. Where is escaped the shortcode?
  95. Escaping a shortcode so it displays as-is [duplicate]
  96. Escaping and Special Characters (e.g. &)
  97. WordPress wp_localize_script nonce and ajax URL
  98. Using `esc_attr( get_block_wrapper_attributes() )`, results in `class=””wp-block-foo””`
  99. esc_url, esc_url_raw or sanitize_url?
  100. how to sanitizing $_POST with the correct way?

Leave a Comment

error code: 523