Correct way of using esc_attr() and esc_html()

Escaping is all about eliminating the need for trust or “it should be an XYZ” and instead guaranteeing it by force that “it will always be an XYZ”. It’s like a cookie cutter, everything will be that shape at the end even if it’s not cookie dough. esc_attr The official docs contain the answer: When … Read more

Escaping inline JS correctly

The wp_kses() call looks to me unneccessary as you’re already escaping the values within the foreach loop. esc_js() should be just fine as the strings are mostly hard-coded and the only part that is changing is the date value, so escape that. If value is always 1, then escaping it doesn’t add any real value. … Read more

How should esc_url be combined with trailingslashit?

It is recommended to escape as late as possible, but the function simply adds a trailing slash (/) (after removing existing one, if any), and I noticed core also used trailingslashit( esc_url() ), so I guess that’s how we would do it. But that is not a definitive answer to your question (which is interesting, … Read more

how to sanitizing $_POST with the correct way?

Instead of looping through the array, use this: map_deep( $form_data, ‘sanitize_text_field’ ); (see the User Notes in the function doc: https://developer.wordpress.org/reference/functions/sanitize_text_field/ ) The docs state that Checks for invalid UTF-8, Converts single < characters to entities Strips all tags Removes line breaks, tabs, and extra whitespace Strips percent-encoded characters So you could also use the … Read more

esc_url, esc_url_raw or sanitize_url?

This might be a more useful demonstration: <a href=”<?php echo esc_url( $url ); ?>>I’m printing a URL to the frontend</a> $url = sanitize_url( $_GET[‘user_inputted_data’] ); update_post_meta( $post_id, ‘that_url’, $url ); esc_url is an escaping function, sanitize_url is a sanitising function. Sanitising functions clean incoming data, e.g. removing letters from phone numbers, stripping trailing space etc. … Read more

Escaping get_option( ‘time_format’ ) is nesserary?

Should you escape these? $date_format=”Y/m/d”; $time_format = get_option( ‘time_format’ ); No. That would be early escaping! Early escaping is very bad! However, should you escape this? echo'<td>’.$date .’ ‘.$time.'</td>’; YES. Escaping is not about wether it’s needed or not, if you ever find yourself saying “It shouldn’t be a problem because it’s always a” stop … Read more

tech