The Problem This turned out to be a common case of needing to use stripslashes();. How did I figure this out? I logged into phpMyAdmin, navigated to the options table, found my option name, and edited it. Here’s what I discovered… s:11:”description”;s:90:”<span style=\”text-decoration: underline;\”>This is supposed to be underlined text.</span>”; So obviously my plugin is … Read more
Right, so it will simply do its best to close any unclosed tag – that’s it. Nothing more. As you can see if you look at the source code, all the function does is make sure to balance out the tags that might not be. It’s also explained in the codex. (“force_balance_tags” is the real … Read more
The possible output of base64_encode() contains a-zA-Z0-9+/ and possibly = or == appended. Testing with $str=”abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=”; we find that: esc_attr( $str ) === $str is true, so it looks like esc_attr() preserves base64 encoded strings. There are possible regexes to help with validation, but according to this answer by @BoltClock, we could check it with … Read more
Based on WordPress documentation for esc_attr function, it is returning a string value. So, If you need to have the integer value, you need using intval function. But, when you want to display that value or put it as part of markup, it doesn’t make sense. Escape functions are useful for outputting and printing values. … Read more
The WordPress Coding Standards sniffs treat do_shortcode() as an “autoescaped function”. This appears to have been discussed in 2015 in these GitHub issues: https://github.com/WordPress/WordPress-Coding-Standards/issues/167 https://github.com/WordPress/WordPress-Coding-Standards/issues/428 The explanation used when it was added to the list was: I discussed this with VIP support (#44195). David, after conferring with another team member, said that it’s unnecessary, as … Read more
Yep, you can escape it as normal HTML, like so: <?php echo esc_html( $email ); ?> For the mailto link, you can use esc_url. Just make sure you include mailto: into the URL, e.g.: <a href=”<?php echo esc_url( ‘mailto:’ . $email ); ?>”> So a fully escaped mail link would look like this: <a href=”<?php … Read more
Always escape output unless you have a great reason not to. The main thing that you lose when escaping translated strings is the ability to use html tags and html entities in the original string and translations, but you should probably not get into a situation in which translators are required to know html just … Read more
Try using sanitize_text_field instead of esc_html wp> $search_query = “Dalton’s Law <br/>”; string(18) “Dalton’s Law <br/>” wp> $query = apply_filters( ‘get_search_query’, $search_query ); string(18) “Dalton’s Law <br/>” wp> $esc_html = esc_html( $query ); string(29) “Dalton's Law <br/>” wp> $sanitized = sanitize_text_field( $query ); string(12) “Dalton’s Law” esc_html should be used to escape output before it … Read more
Running the output through escaping function should be just fine. You can either use wp_kses_post(), which by default allows the same html attributes that you would use in the post content (see in codex): echo wp_kses_post( wp_get_attachment_image( $image_id ) ); or if you want to be more precise and strict, you can pass an array … Read more
I face this issue quite often on my own site where I publish code tutorials. Unfortunately, there isn’t a good solution. Instead, I recommend this workflow: Use the WYSIWYG editor to build your article content leaving placeholders for your code snippets. Switch to the HTML editor to add your code snippets The visual editor (TinyMCE) … Read more