that wordpress.org page was probably written by someone that do not get security. Escaping is done to make sure that your output, when is part of an HTML page, is displayed to the user as you intend it to be which means converting thing like “<” to the appropriate HTML entity. Yes, if you do … Read more
TLDR: No parameters need to escaped. The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls: $attachment_id (parameter 1) This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to … Read more
You would use it like this: <?php the_title(); ?> the_title is responsible for its own escaping, much like the_content. It’s the same with any filters that try to use it, they should perform escaping on anything they add. In fact, I can run JS such as alert(“test”); if I place that in the post title. … Read more
because you don’t return JSON, you can use admin-post.php. create a hook like that : add_action(“admin_post_nopriv_MY_PLUGIN__answer”, function () { header(“Content-type: text/xml”); echo “<abc><def>1</def></abc>”; exit(); }); and then use the url /wp-admin/admin-post.php?action=MY_PLUGIN__answer. when you do debugging, don’t forget that admin_post_nopriv only answers on unconnected users then you can open the url in another browser.
Escaping is all about eliminating the need for trust or “it should be an XYZ” and instead guaranteeing it by force that “it will always be an XYZ”. It’s like a cookie cutter, everything will be that shape at the end even if it’s not cookie dough. esc_attr The official docs contain the answer: When … Read more
The wp_kses() call looks to me unneccessary as you’re already escaping the values within the foreach loop. esc_js() should be just fine as the strings are mostly hard-coded and the only part that is changing is the date value, so escape that. If value is always 1, then escaping it doesn’t add any real value. … Read more
how do I esc them? You don’t, both approaches are fundamentally wrong in multiple ways that make them irrecoverable. First Case echo “<script> alert( ‘Authorization successful. Hello ‘ + ‘$me’)</script>”; In this scenario we are trying to use alert to display a string, and append both values together. Aside from the usage of alert there … Read more
It is recommended to escape as late as possible, but the function simply adds a trailing slash (/) (after removing existing one, if any), and I noticed core also used trailingslashit( esc_url() ), so I guess that’s how we would do it. But that is not a definitive answer to your question (which is interesting, … Read more
Instead of looping through the array, use this: map_deep( $form_data, ‘sanitize_text_field’ ); (see the User Notes in the function doc: https://developer.wordpress.org/reference/functions/sanitize_text_field/ ) The docs state that Checks for invalid UTF-8, Converts single < characters to entities Strips all tags Removes line breaks, tabs, and extra whitespace Strips percent-encoded characters So you could also use the … Read more
Escaping admin_url output being passed to js (esc_js vs esc_url)