esc_attr() on hard coded string

All text entered into the database is, in essence, “user entered”. If the site gets hacked a hacker could change every instance of the field “title” to contain javascript, for example. If you just echo out the field then you’re writing the javascript to the page and thus injecting the code into the page.

Therefore, you should consider everything that comes from the database to be potentially hackable and use the appropriate esc_ function before writing it out.

Related Posts:

  1. How to store username and password to API in wordpress option DB?
  2. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  3. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  4. Nonces can be reused multiple times? Bug / Security issue?
  5. Can someone explain what wp_session_tokens are, and what are they used for?
  6. WordPress and PHP Sessions – Security and Performance
  7. What is the difference between esc_html and wp_filter_nohtml_kses?
  8. Nonce in settings API with tabbed navigation
  9. Log in from one wordpress website to another wordpress website
  10. Escaping built-in WP function return strings
  11. What is the difference between strip_tags and wp_filter_nohtml_kses?
  12. WP Cron doesn’t save or in post body
  13. WordPress restrict plugin file direct access
  14. Plugin development: is adding empty index.php files necessary?
  15. Confusion on WP Nonce usage in my Plugin
  16. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  17. Correct way check nonce (security) using old Options API
  18. Why do I need to check if wp_nonce_field() exists before using it
  19. Is there any way to check for user login and send him to login?
  20. WordPress security issue to output data from user input from theme option form
  21. Verify if user is wordpress logged in from another app since wordpress 4.0
  22. Secure Pages Best Practice
  23. Securing/Escaping Output of file content – reading via fread() in PHP
  24. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  25. Video Security just like facebook [closed]
  26. Is disabling test_form in wp_handle_upload a security concern?
  27. How to connect my wordpress plugin to a remote database securely?
  28. wp_nonce_field displaying twice
  29. Is it necessary to do validation again when retrieving data from database?
  30. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  31. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  32. add_submenu_page hooked function must explicitly check user capabilities – why?
  33. Are there any security risks when submitting data-attribute data through AJAX?
  34. Why would you use esc_attr() on internal functions?
  35. Is it possible to use WP-CLI in a plugin (or theme)?
  36. Secruity Questions on a timer
  37. Using HTML links within translatable string
  38. How can I save a password securely as a settings field
  39. Using password protection to load different page elements?
  40. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  41. How to store sensitive user data (passwords)
  42. How do I make secure API calls from my WordPress plugin?
  43. how to add security questions on wp-registration page and validate it
  44. Experts opinions needed: How (in)secure is this approach?
  45. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  46. Data Validation, dynamically generated fields (select for example)
  47. esc_url, esc_url_raw or sanitize_url?
  48. How to debug a plugin with Xdebug?
  49. Is there widely accepted phpDoc syntax for documenting which hook calls a function?
  50. How to iterate through custom posts and add the title to an array
  51. How to Structure a New Role/Capability Scheme?
  52. How to create Image gallery Metabox in wordpress [closed]
  53. Is it possible to create an action hook using do_action() within add_action()?
  54. WordPress 2.8 Widget API is suitable for Worpress 3.1.4 plugins development?
  55. Need specific kind of “Poll Voting” for WordPress [closed]
  56. Install widget on plugin activation
  57. Plugin admin page meta_box toggle and order state not saving
  58. Is there a better way to implement responsive images than what WordPress uses by default?
  59. Prevent Javascript Facebook SDK Conflicts in plugin
  60. Integrating Stripe PHP library into a custom WordPress Plugin
  61. Use WP_Theme::scandir function to scan a plugin directory. Is there a way?
  62. Plugin options not being saved or created
  63. Change the ‘published on’ text?
  64. How to get boolean value from register_meta properly?
  65. Gravity Forms Perks – Nested Forms
  66. Remove custom post type slug from URL and add taxonomy Slug
  67. How do I get the sub categories of the parent when in a sub category?
  68. custom permalink’s rewrite rule for page id
  69. How can I identify it as admin page or not?
  70. AJAX form post returns 0
  71. Update custom plugin with WP-CLI
  72. Autogenerate a Table of Contents
  73. Update wordpress Core Remotely
  74. Proper way to use useSelect
  75. Access to apache logs from plugin
  76. Two different wordpress sites – same server and IP address. Gaining Access to database 1 of 2
  77. Translating plugin settings page – dropdown list
  78. Hide one specific woocoomerce product
  79. settings api – add_settings_section not working
  80. Remove Meta-boxes (Yoast SEO plugin) [duplicate]
  81. Can I use a custom post type as a custom taxonomy for a different custom post type?
  82. wp_schedule_single_event is set correctly but sometimes not fired
  83. Attaching Image-file to userId
  84. wp.media gallery collection sometimes undefined
  85. Pass Values in URL on WooCommerce Product Page
  86. Can’t load a script in my plugin page
  87. Plugin Install Issue “-1” Appended to end of plugin name
  88. $ is not defined [duplicate]
  89. How to affect front page by plugin
  90. problem with blank page
  91. Use custom clean URLs for a plug in
  92. Cannot echo a JS variable to a jQuery plugin coming from wp_localize_script
  93. Select options not reloading after form submit
  94. Plugin SVN folder structure
  95. Checking if the query is empty does not work
  96. Remove default wordpress roles
  97. What is the meta_query key name for the woo product average rating? [closed]
  98. how to catch a data from a array in WordPress
  99. Why my admin-ajax url returns 0 even after adding echo and die() at the end of function?
  100. External api call using wordpress