that wordpress.org page was probably written by someone that do not get security. Escaping is done to make sure that your output, when is part of an HTML page, is displayed to the user as you intend it to be which means converting thing like “<” to the appropriate HTML entity. Yes, if you do … Read more
Should the HTML attribute ‘tabindex’ be escaped?
How to assess whether a WP core (or other) function is escaped already or not?
TLDR: No parameters need to escaped. The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls: $attachment_id (parameter 1) This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to … Read more
You would use it like this: <?php the_title(); ?> the_title is responsible for its own escaping, much like the_content. It’s the same with any filters that try to use it, they should perform escaping on anything they add. In fact, I can run JS such as alert(“test”); if I place that in the post title. … Read more
because you don’t return JSON, you can use admin-post.php. create a hook like that : add_action(“admin_post_nopriv_MY_PLUGIN__answer”, function () { header(“Content-type: text/xml”); echo “<abc><def>1</def></abc>”; exit(); }); and then use the url /wp-admin/admin-post.php?action=MY_PLUGIN__answer. when you do debugging, don’t forget that admin_post_nopriv only answers on unconnected users then you can open the url in another browser.
esc_html don’t work on variable but do work on pasted text
Escaping is all about eliminating the need for trust or “it should be an XYZ” and instead guaranteeing it by force that “it will always be an XYZ”. It’s like a cookie cutter, everything will be that shape at the end even if it’s not cookie dough. esc_attr The official docs contain the answer: When … Read more
The wp_kses() call looks to me unneccessary as you’re already escaping the values within the foreach loop. esc_js() should be just fine as the strings are mostly hard-coded and the only part that is changing is the date value, so escape that. If value is always 1, then escaping it doesn’t add any real value. … Read more
how do I esc them? You don’t, both approaches are fundamentally wrong in multiple ways that make them irrecoverable. First Case echo “<script> alert( ‘Authorization successful. Hello ‘ + ‘$me’)</script>”; In this scenario we are trying to use alert to display a string, and append both values together. Aside from the usage of alert there … Read more