how to escape alert/window.location.replace with variable

how do I esc them?

You don’t, both approaches are fundamentally wrong in multiple ways that make them irrecoverable.

First Case

echo "<script> alert( 'Authorization successful. Hello ' + '$me')</script>";

In this scenario we are trying to use alert to display a string, and append both values together. Aside from the usage of alert there are several mistakes:

  • If we want to insert the PHP variable $me into the JS string, why are we doing the concatenation in javascript?
  • We don’t know what $me is or where it’s coming from

The final product of this should be an alert function that takes a variable or a hardcoded string, no variations on that. So there will not be a + operator.

Additionally, we do not know what’s considered acceptable here, escaping is all about context and enforcing expectations but none have been provided. e.g. are HTML tags acceptable? Do we only want numbers and letters? Is it an email? The answers to these questions determine how you would escape the value.

This is the closest to an answer as you asked for it, and it’s not reliably secure:

?>
<script>alert(<?php echo wp_json_encode( 'Authorization successful. Hello ' . $me ); ?> );</script>
<?php

Because we do not know $me contains or what it’s intended to do, we have to assume you want to display a plaintext string safely with alert. So we JSON encode it. If it’s a string it’ll be passed in as a string. Notice that the string concatenation is happening in PHP, not JS. If $me is not a string then this code will fail.

Second Case

echo "<script> window.location.replace('$url'); </script>";

Here we can safely assume that $url is meant to hold a URL, therefore esc_url would be appropriate, but we can’t dump that into a JS snippet directly.

The next best thing we can try is this:

echo "<script> window.location.replace( ". wp_json_encode( esc_url( $url ) ) . " ); </script>";

Important

  • Don’t just use wp_json_encode everywhere, it isn’t the magic fix all escaping function for JS. The true fix is to never need to insert PHP variables directly into printed JS. It’s a strong code smell and a strong indicator that you’ve done something terribly wrong.
    • e.g. how would this work: alert( { object... } ); or <a href=""malicious string""
    • if you know the type of the value you can be more specific, e.g. intval would be more appropriate for a number
    • WordPress already has a mechanism for exposing data to javascript, e.g. wp_add_inline_script, see https://developer.wordpress.org/reference/functions/wp_add_inline_script/
    • In general you want to avoid printing a <script> tag with javascript inside from PHP, even if there are no variables, unless you really have to. Most of the times I’ve done it are for 3rd party integrations in a footer/header, never for the core logic of what I’m building.
  • The example involving window.location should never make it into production code. There are no situations where this wouldn’t be better served by a PHP call to wp_redirect instead
  • Escaping isn’t a magic function you apply to data to make it safe, it’s a cookie cutter that guarantees assumptions. Why trust that a variable contains a URL when you can guarantee it using esc_url? Then if it isn’t a URL it’ll be mangled into the shape of a URL and disarmed.

Related Posts:

  1. Gutenberg Blocks doesn’t render correctly when using do_blocks
  2. Create custom blocks for bootstrap
  3. admin-ajax.php responding with 0
  4. Page Reloads Before AJAX Request Finishes
  5. How to test nonce with AJAX – Plugin development
  6. How to select the contents in the text view textrea in wp_editor?
  7. How to send Ajax request from my plugin in admin dashboard?
  8. AJAX success response is not working but it’s saving my changes
  9. HTML escaping data with ajax requests
  10. Is it save to use eval for a jQuery callback method coming from the database?
  11. wordpress admin plugin menu custom css
  12. How to Change CSS Colors from Custom Plugin Settings Page
  13. Passing the name of selected color from the custom component to `render_callback`
  14. WordPress – Get Posts with Category data
  15. How to use wp_send_json() and output the value with ajax?
  16. How to correctly escape an echo
  17. Settings API form – submit with AJAX
  18. How to extend SelectControl with data from my theme
  19. Post form – AJAX won’t upload featured image – Plugin development
  20. Creating a POP Alert
  21. How do I disable cache for a certain page?
  22. register dependency css and js inside a plugin class
  23. How to use Amazon Elastic Transcoder from WordPress using AWS SDK for PHP?
  24. Why this plugin is not working?
  25. how can I make content from a plugin hidden when user is logged in? [duplicate]
  26. Import js variables loaded via wp_localize_script() into js module without global scope connection
  27. Should I use spl_autoload_register() in my plugin?
  28. How can I save a multiple select array with the settings API for a plug-in options page?
  29. Using register_activation_hook in classes
  30. Add a class to links in the visual editor (how to get old dialog back)
  31. Is there a way for a plugin to add an attribute to the tag of a theme?
  32. Calling a method from functions.php on a click of a button
  33. How to use WordPress (PHP) functions in AngularJS partials files?
  34. How to create a custom config file and get data using inline JS in a wordpress page
  35. My shortcode is showing up twice
  36. Database “Migration” for Plugins?
  37. using woocommerce_template_single_add_to_cart in shop-loop – javascript issues [closed]
  38. Does wp-cron runs all tasks scheduled at same time together or one after other?
  39. Use WordPress’s Media Uploader/ Manager in non WordPress php application
  40. Get/Set wp.customize.previewer.previewUrl
  41. Sanitizing, Validating and Escaping in WordPress (Plugin)
  42. Making Quote Plugin more efficient
  43. Will simple function names in a class structure conflict with other plugins?
  44. How can I output a php value into a JS file within WordPress?
  45. Pulling data from custom plugin settings using PHP shortcode and Javascript
  46. Slider loading issue
  47. How can i upload images in an admin page?
  48. remove wp floating submenu in wp dashboard
  49. How to complete two other input fields, completed the first
  50. Retrieve $_POST data submitted from external URL in WordPress(NOT API)
  51. Reprinting tags with all attributes
  52. Need Help Fixing My Iframes [closed]
  53. wp_enqueue_scripts leads to error
  54. Update results, Before deleting the related category [closed]
  55. Passing UTM Parameters To Modify Page In WordPress
  56. How to add a do_action on refreshing of WP customizer?
  57. Adding function to Genesis genesis_header [closed]
  58. Add / Update Custom Fields After Select Pictures in Media Window
  59. how to update and display an option without reloading the page
  60. Plugin Generate Unexpected output during activation
  61. Hook called before text widget save
  62. wpdb prepare insert table doesn’t work
  63. trying to put an active hover to my custom nav category buttons [closed]
  64. How do I get my Javascript scripts working?
  65. Using admin-post.php for admin form but it directs me to admin-post.php white screen
  66. Calling PHP Titles inside Javascript Markup
  67. custom plugin with upload files does not work
  68. ‘Bones’ theme: Load stock scripts in footer instead of header?
  69. What is the difference between Null vs Empty (Zero Length) string?
  70. go to home page when i select default in select-box
  71. send popup after wp_redirect()
  72. no_rest_route error on custom routes
  73. How to redirect non logged in mobile users to page on same site?
  74. Decode and Decrypt Azure B2C OpenID Authorization Token, Use Response in API Call (Example Token Within)
  75. Create ACF Checkbox to get all ACF Values from Parent Page
  76. Exclude ipads and tablets form wp_is_mobile code
  77. Display a custom name when the user has no name settle in his account
  78. gettint error 400 with AJAX
  79. Sum All the Post Meta of Published posts of Current Logged in user
  80. Javascript / PHP – closing the loop
  81. I can’t load my images from a js file using wp_localize_script
  82. How to output values from a loop into a javascript array
  83. Bring Font Awesome icons inside menu A tags
  84. Autoloading Classes in Plugins
  85. custom post type column countdown
  86. Pass product object to javscript
  87. Automatically refresh page if widget is added to page?
  88. number of posts with “Load More”
  89. Call custom JS function from PHP
  90. Complex PHP for json_encode > how to handle/output right?
  91. Comparing Dates within plugin using PHP If statement
  92. Singleton plugin activation; create database
  93. How to limit each front-end user to view just his own uploaded files on Amazon S3?
  94. What’s the best way to format ACF number fields for display on the front end?
  95. How keep woocommerce users separeted in multisite install and keep admins on network
  96. Import and use a variable in additional settings of Contact Form 7 [closed]
  97. Is there a better way to output HTML as a shortcode?
  98. Displaying custom meta box value in a custom post page
  99. how to check elementor is widget is active or loaded
  100. Create a custom plugin with dynamic child pages listing database records
tech