Should the HTML attribute ‘tabindex’ be escaped?
Should the HTML attribute ‘tabindex’ be escaped?
escaping
How to assess whether a WP core (or other) function is escaped already or not?
How to assess whether a WP core (or other) function is escaped already or not?
If necessary, how should wp_get_attachment_image() and its parameters be escaped?
TLDR: No parameters need to escaped. The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls: $attachment_id (parameter 1) This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to … Read more
What is best practice when escaping the_title()?
You would use it like this: <?php the_title(); ?> the_title is responsible for its own escaping, much like the_content. It’s the same with any filters that try to use it, they should perform escaping on anything they add. In fact, I can run JS such as alert(“test”); if I place that in the post title. … Read more
How do I return XML to an API post request
because you don’t return JSON, you can use admin-post.php. create a hook like that : add_action(“admin_post_nopriv_MY_PLUGIN__answer”, function () { header(“Content-type: text/xml”); echo “<abc><def>1</def></abc>”; exit(); }); and then use the url /wp-admin/admin-post.php?action=MY_PLUGIN__answer. when you do debugging, don’t forget that admin_post_nopriv only answers on unconnected users then you can open the url in another browser.
esc_html don’t work on variable but do work on pasted text
esc_html don’t work on variable but do work on pasted text
Correct way of using esc_attr() and esc_html()
Escaping is all about eliminating the need for trust or “it should be an XYZ” and instead guaranteeing it by force that “it will always be an XYZ”. It’s like a cookie cutter, everything will be that shape at the end even if it’s not cookie dough. esc_attr The official docs contain the answer: When … Read more
Escaping inline JS correctly
The wp_kses() call looks to me unneccessary as you’re already escaping the values within the foreach loop. esc_js() should be just fine as the strings are mostly hard-coded and the only part that is changing is the date value, so escape that. If value is always 1, then escaping it doesn’t add any real value. … Read more
how to escape alert/window.location.replace with variable
how do I esc them? You don’t, both approaches are fundamentally wrong in multiple ways that make them irrecoverable. First Case echo “<script> alert( ‘Authorization successful. Hello ‘ + ‘$me’)</script>”; In this scenario we are trying to use alert to display a string, and append both values together. Aside from the usage of alert there … Read more
How should esc_url be combined with trailingslashit?
It is recommended to escape as late as possible, but the function simply adds a trailing slash (/) (after removing existing one, if any), and I noticed core also used trailingslashit( esc_url() ), so I guess that’s how we would do it. But that is not a definitive answer to your question (which is interesting, … Read more