As far as I know wp_localize_script doesn’t escape data any more than is necessary to produce valid JSON, and everything is sent as a string. The function was originally designed to allow translating the strings used in your JS into other languages (hence the “localize” part of the function name). So if the data you’re passing is coming from a user input or is otherwise user-generated then you’ll definitely want to escape it.
Related Posts:
- Multiple wp_localize_script
- wp_localized_script is not defined when called via jquey ajax
- Use wp_localize_script for non existing script
- How do you pass a boolean value to wp_localize_script [duplicate]
- Pass multiple PHP variables to JS in Options Page
- How to get the post ID when creating JS variables with localize_script
- Localization of JavaScript which is only used in one page
- Find out if enqueued script uses wp_localize_script?
- Using wp_localize_scripts
- How do I pass the template url to javascript in the ADMIN area of my theme?
- wp_localize_script no longer working after 5.5 update
- How can I get variable from php function and use it in wp_localize_script?
- wp localize script is not working in a custom AJAX request
- Using template tags in external JS file
- Issue with wp_localize_script
- Translate string with wp_localize_script()
- What about Deferring a localized script?
- help with wp_localize_script
- Is there a way to know the name of all variables passed by wp_localize_script?
- How to define variables in WordPress AJAX?
- How to Git stash pop specific stash in 1.8.3?
- What are all the escape characters?
- Uses for the ‘"’ entity in HTML
- How can I add ” character to a multi line string declaration in C#?
- What characters do I need to escape in XML documents?
- Illegal Escape Character “\”
- Escape quotes in JavaScript
- Which characters need to be escaped when using Bash?
- Escape string Python for MySQL
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- How is \\n and \\\n interpreted by the expanded regular expression?
- Escape Character in SQL Server
- Why shouldn’t `'` be used to escape single quotes?
- What does it mean to escape a string?
- How to escape apostrophe (‘) in MySql?
- Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
- Escaping HTML strings with jQuery
- What’s the Use of ‘\r’ escape sequence?
- How do I use spaces in the Command Prompt?
- How do I escape ampersands in XML so they are rendered as entities in HTML?
- Unrecognized escape sequence for path string containing backslashes
- With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
- Is it possible to use wp_localize_script to create global JS variables without a specific script handle?
- What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- Should HTML output be passed through esc_html() AND wp_kses()?
- Best Practice for PHP
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- How to intercept already localized scripts
- How to prevent escaping when saving HTML code in an option value?
- What is the difference between esc_html filter vs attribute_escape filter?
- Escaping and sanitizing SVGs in metabox textarea
- Sanitize and data validation with apply_filters() function
- Difference between esc_url() and esc_url_raw()
- How to print translation supported text with HTML URL
- Is there a JavaScript API? How to access public and private data in JS?
- Which WP functions do you need to use esc_html() or esc_url() on?
- What’s the difference between esc_* functions?
- Passing boolean values with wp_localize_script
- What to use instead of wp_kses() in user output
- What is the correct way to build a widget using OOP
- Creating Multiple wp_localize_script for Shortcode?
- How to correctly escape query variables to be used in WP_Query
- How do translated, escaped strings (esc_attr) in Themes work?
- How to escape custom css?
- How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- Escaping WP_Query tax_query when term has special character(s)
- w3 total cache minification breaks wp_localize_script() [closed]
- PHP Coding Standards, Widgets and Sanitization
- how to escape wp_oembed_get for phpcs
- Should messages in WP_Error already be html escaped?
- When do I need to use esc_attr when using WordPress internal functions
- How to escape html code with html allowed
- Disable escaping html
- wp_localize_script with boolean and init
- esc before saving or before displaying does it matter?
- Do you need to escape hard coded plain text?
- wp_localize_script $handle
- Escaping built-in WP function return strings
- Updating a post without escaping ampersands?
- enqueue and localize script in footer
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Nonce best practices: hidden input vs. wp_localize_script?
- How do I stop HTML entities in a custom meta box from being un-htmlentitied?
- How to add extra attributes to the script tag added via wp_localize_script()
- Localize variable for multiple Shortcodes
- jQuery Autocomplete not working with wp_localize_script
- Problem in wp_localize_script
- Passing PHP Variables to JS using Localize Script
- Why should I escape translatable strings? and how shall i do that?
- esc_url not working within add_settings_field callback
- Do I need to use the esc_html() function on hard coded links?
- Can’t seem to get wp_localize_script to work
- How to localize value of posts
- Prevent add_shortcode from escaping a tag
- How to overwrite JS variable with wp_localize _script?