Should messages in WP_Error already be html escaped?

No, escaping should happen at the moment of output ( late escaping ) so that we know that it only occurs once. Double escaping can allow specially crafted output to break out.

By escaping, we’re talking about functions such as esc_html, wp_kses_post, esc_url, etc.

Sanitizing functions and validating functions are not the same, e.g. sanitize_textfield. Sanitising cleans data, validation tests data, escaping enforces a type of data.

Think of it like this for a triangle factory:

  • The validator tests the item is a triangle , and gives it a thumb up or down, it only observes. If it’s triangle shaped, yes! If not, no. Validators are a good way to reject input, and should happen on input.
  • The sanitizer cleans the item, removes things that don’t belong on a triangle on input. Other examples might be removing trailing spaces. If the item is meant to be a number it might strip out any letters and symbols. The end result is just a cleaner, easier to manage version of what went in.
  • The escaper enforces the triangle shape, it’s like a cookie cutter with an triangle shaped hole in a triangle factory. It doesn’t matter what goes in, a triangle is coming out, even if a square went in. Sure you might end up with a mangled broken thing that’s triangle shaped, but triangles are what we intended and triangles are what we’re getting

Double escaping is bad because if we then take our broken square that’s shaped like a triangle, flip it upside down, and run it through the cookie cutter a second time, we don’t get a triangle, we get a hexagon. We didn’t want hexagons!

We can sanitize and validate as many times as we want, but we should only escape once, and it should happen at the moment of output, if not as close as possible to it.

So since WP_Error does not output, and is not responsible for outputting, it should not perform any escaping internally, nor should its inputs be escaped. Validated/sanitized perhaps, but not escaped.

If we did escape on input, we would either have to double escape, or trust all WP_Error objects, which is a non-starter. All it would take is a single plugin developer forgetting to escape on input. It’s also a lot easier to escape in the one place that outputs, than to escape in the many places that input.

So instead, the code that receives and outputs the WP_Error object is where the escaping should be, that way we escape on output safe in the knowledge that no early escaping has occurred, no double escaping happens, whether it’s been escaped is not a problem we have to deal with, and the responsibility for escaping is clear and straight forward

As for how to safely output a WP_Error object, either esc_html or wp_kses_post will suffice. The latter will allow tags such as <strong> etc. Generally, putting anything more complex in an error object than what you’d put into a post is a bad idea, WP_Error objects are structured data already

Related Posts:

  1. How to catch/what to do with a WP Error Object
  2. What are the best practices for updating?
  3. Is there a plugin that will override the “Error establishing a database connection” message? [closed]
  4. Loading external page template and enqueue script from plugin causes 403 forbidden error
  5. When do I need to use esc_attr when using WordPress internal functions
  6. PHP Deprecated: Non-static method should not be called statically
  7. Plugins error (Use roles and capabilities instead) on latest version, multisite
  8. WordPress error – PHP Fatal error: Uncaught Error: Call to undefined function register_block_type_from_metadata()
  9. Error: “Cannot modify header information”
  10. Plugin.php: PHP Notice: Undefined offset: 0 in
  11. check for the current screen
  12. “Are you sure you want to do this?” when deactivating all plugins in WordPress 4.3.1 [closed]
  13. How should I handle errors within a plugin?
  14. An Unexpected HTTP Error occurred during the API request
  15. wp_specialchars and wp_specialchars_decode in a shortcode plugin
  16. echo do_shortcode is not working on theme’s template
  17. Seaweed Plugin not working
  18. All plugins deactivated due to error
  19. Unable to activate wordpress importer after installing it
  20. Weird problems after recovery from security breach
  21. Sanitizing, Validating and Escaping in WordPress (Plugin)
  22. Escape when echoed
  23. Should you escape hardcoded URLs?
  24. Error in the wp-config.php file: PHP Fatal error: Uncaught Error: Unknown named parameter (PHP 8.0)
  25. Can a plugin still effect a site even after deletion?
  26. Accessing GET variable named ‘error’
  27. Error handling a plugin with exceptions
  28. Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?
  29. Post-terms-order PHP errors after update
  30. Call to undefined function get_userdata in user.php
  31. Only Homepage not loading properly
  32. One of my plugins broke when I tried to update it, how do I safely uninstall it?
  33. Images not showing after changing wp-content folder name
  34. WooCommerce Checkout Error [closed]
  35. Plugin: Google Analytics for Dashboard error – Timestamp is too far from current time
  36. How to redirect a URL with parameters?
  37. Problem using Press-this book marklet
  38. Nonce failing on form submission
  39. Deactivating all plugins and reactivating one by one, fixes conflicts. Why?
  40. WordPress shows error related to allow_url_fopen
  41. Unable to get WP_DEBUG, WP_DEBUG_DISPLAY, WP_DEBUG_LOG to work
  42. Get errors from WP_Error to different variables
  43. help with my wordpress website
  44. HTTP 500 error after plugin install
  45. Can’t activate Plugin: unexpected T_STRING, expecting T_FUNCTION [closed]
  46. Plugin getting Cannot modify header information errors
  47. WP-nivo-slider Producing Error “Cannot modify header information – headers already sent by …”
  48. XML Sitemap Generator can’t notify google and bing
  49. How to be escape Variables and options when echo?
  50. After updating the WordPress getting a syntax error in the console
  51. There has been a critical error on your website – won’t fix no matter what
  52. UTF-32be error WordPress
  53. Plugin showing error
  54. Classic, but puzzling “The uploaded file could not be moved”
  55. Plugin upgrade failing during unzip
  56. Problem after updating plugins
  57. Apparent errer when installing plugin
  58. How to get Facebook comment plugin in blog? [closed]
  59. Undefined index: ratings_score …/wp-postratings.php on line 994
  60. Strange Behavior on New Theme Points to Idiocy
  61. 404 errors when updating options in admin dashboard
  62. Error activating certain plugins
  63. All new plugins generating 311 chars of unexpected output?
  64. Error when adding extensions to wordpress version 5.9 with a DIVI install
  65. Replace old theme that understand old css (vcex_icon_box css_animation)
  66. WordPress fatal error from php protocol codes
  67. There has been a critical error on this website
  68. WP search box on page not finding .PDF files
  69. Changing wordpress/woocommerce notices default message to other languages (text)
  70. How to Fix WordPress multisite woocommerce 403 file error
  71. Critical Error after Updraft Restoration
  72. There has been a critical error on your website
  73. I can’t view the orders on the woocomerce dashboard with the brainblocks plugin
  74. Modifying server’s response to API endpoint
  75. Woocommerce functions in custom class, avoid errors
  76. ERROR message: “The site is experiencing technical difficulties. Please check your site admin email inbox for instructions.”
  77. Object of class WP_Error could not be converted to string in /formatting.php
  78. Error after installing the WordPress plugin updates
  79. White blank screen while adding or editing pages in wordpress
  80. Cannot modify header information – headers already sent during plugin activation
  81. WordPress error after installing plugin “Internal Server Error” [closed]
  82. Need Help Understanding Debug Log Errors
  83. Plugin debugging with errors in activation routine
  84. WP default file upload hook not working if used in a plugin
  85. Escaping and sanitization
  86. A more elegant way to handle notices/warnings
  87. A plugin is giving me “You do not have sufficient permissions to access this page.” error
  88. Restore Category Base
  89. Plugin (smart archives reloaded) crashed site / no access on admin panel
  90. Custom Post type plugin breaking the front page shows dashboard?
  91. Plugin won’t activate, fatal error (widget class not found)
  92. Plug-in (Slickr Flickr) works on local machine, but not server
  93. Theme causing SSL break on chrome
  94. The plugin generated xxx characters of unexpected output during activation
  95. WordPress Customer Reviews Error: Line 239?
  96. WordPress Plugin: Demon Image Annotation
  97. WordPress Plugins Error
  98. How to get an error message if a form is empty (plugin: Post for site) [closed]
  99. How can I resolve an error on WordPress after PHP update
  100. How can I disable a plugin in Health Check mode if there’s a critical error?

Leave a Comment