Correct way of using esc_attr() and esc_html()

Escaping is all about eliminating the need for trust or “it should be an XYZ” and instead guaranteeing it by force that “it will always be an XYZ”. It’s like a cookie cutter, everything will be that shape at the end even if it’s not cookie dough.

esc_attr

The official docs contain the answer:

When a variable is used as part of an attribute or url, it is always better to escape the whole string as that way a potential escape character just before the variable will be correctly escaped.

Escaping is all about context, so by concealing context from esc_attr you’re reducing its effectiveness. Don’t escape portions of an attribute, escape the entire attribute, and do it at the moment of output.

esc_attr is for escaping an attribute, the entire attribute. You can’t use it to partially escape sub-sections of an attribute because that’s not what it’s intended for, and it would be a misuse.

This is for the same reason you cannot use esc_url on sub-sections of a URL, esc_url always outputs a full URL. Without the context of the full URL it’s not possible to correctly escape it without potentially dangerous things leaking through, or malformed URLs that could be dangerous leaking out.

esc_html

esc_html guarantees that a string will not contain HTML tags, and it does this by escaping them so that they are printed out to the user rather than processed and executed by the browser.

Is this approach correct? I specifically meant this part: … esc_html__(‘Setup and Help’, ‘my-plugin’) . ‘ <i …

Yes! You may find some people consider escaping language strings unnecessary or overzealous, but language files and filters can be used as an attack vector and you’re protecting yourself by doing this.

If you know that string should never contain HTML, then escaping can provide some guarantees of that.

In General

Escaping is all about enforcing expectations. esc_html and esc_attr are intended for different purposes. Escaping isn’t a magic thing you apply to stuff universally, it’s ultra specific to the context and use, that’s why we don’t have a general escape function but instead have specific functions such as esc_html/esc_textarea/esc_attr/esc_url/wp_kses_post/strip_tags etc

“This variable contains a URL, and now that I’ve used esc_url it will be a URL even if you put something in there that isn’t. The result might be garbled junk but that junk is a URL.”

So don’t pick and choose or apply partially. If you want to escape a string, escape the entire string. Partially escaping might seem prudent but it’s a mistake and a way for things to leak through.

  • escape once

    double escaping is bad and carefully crafted content can use that to break through and expose malicious data. Be clear about which code is responsible for escaping, and make sure that code is also the code that prints it out

  • escape late

    Don’t assign escaped values to variables, those variables can be modified and made unsafe after escaping, and it encourages accidental double escaping.

  • escape often

    Escape all the things that you can, and do it in full. Even if you thought that the partial escaping should be fine, why trust that? Guarantee and say with 100% certainty that it will be fine by escaping the entire thing as one unit.

    • also does it really make sense to litter your code with lots of tiny esc_attr calls in every attribute when 1 will do the job?

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)