You can’t protect against everything a user will do. What if they hard-code an email address in the footer/header/sidebar of their theme? The only way to capture and escape that is with output buffering … and that can become a performance nightmare.
My recommendation would be to do two things:
- Hook in to all of the places that make sense.
- Provide accessible functions that allow people to escape their own content.
You’ve already got step 1 pretty much covered. Email addresses most often appear in post content (the_content and the_excerpt) but might also appear in comments. I would also recommend filtering the title and the content of sidebar widgets:
add_filter('the_title', array(&$this,"pep_replace"));
add_filter('widget_content', array(&$this,"pep_replace"));
For step 2, document a generic function that people can use to sanitize their email addresses:
function sanitize_email( $email ) {
// do stuff
return $sanitized_email;
}
Users can then use this rather than hardcoding their email address:
<p>Please contact me at <?php echo sanitize_email( '[email protected]' ); ?>.</p>
If you weren’t already filtering the_content, I’d recommend you create a shortcode as well … but that’s a bit redundant.
Be very careful
The other three hooks you’ve listed aren’t actually filters – these are action hooks. They’re meant to be places in code where you can hook in your own logical methods. Unlike filters, they don’t return anything to PHP … so they’re pretty meaningless when used as filters.