The _e() function displays a translated string; so 1) You’re actually echoing a dynamic text; and 2) Yes, you should escape a translated string. Relevant excerpt taken from the internationalization security guide in the Plugin Handbook: Escape Internationalized Strings You can’t trust that a translator will only add benign text to their localization; if they … Read more
I’m pretty sure you have to explicitly name all allowed attributes – just use: $allowedposttags[‘iframe’] = array ( ‘align’ => true, ‘frameborder’ => true, ‘height’ => true, ‘width’ => true, ‘sandbox’ => true, ‘seamless’ => true, ‘scrolling’ => true, ‘srcdoc’ => true, ‘src’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true, ‘border’ … Read more
Look at the source of the_content(): function the_content($more_link_text = null, $stripteaser = false) { $content = get_the_content($more_link_text, $stripteaser); $content = apply_filters(‘the_content’, $content); $content = str_replace(‘]]>’, ‘]]>’, $content); echo $content; } As you can see, there is no filter to prevent that. If you really need inline JavaScript in an XML document you have to escape … Read more
Nope, you don’t need to escape hard-coded URLs.
I’m assuming $settings is an assigned variable elsewhere in your code? If so, then ya gotta globalise it son (variable scope in PHP): function outputFavIcon() { global $settings; ?> And spell it right too 😉 <?php if ( isset ( $settings[‘generel_settings’ /* <- typo? */][‘fav_icon’] ) ) {
Is it really need to escape translatable strings? Yes. If a string is translatable then that means its value can be changed from an external source. This means it’s not safe. and how shall i do that? See the documentation on how to escape with WordPress. When it comes to translatable strings, there are two … Read more
If I’m allowed to answer my own question here: I found a way to stop the conversion of my html entities back to characters by using <?php esc_textarea( $text ) ?>, as detailed by the codex here: http://codex.wordpress.org/Function_Reference/esc_textarea. Not sure if this is the right way of doing it, but its working. My (snipped) metabox … Read more
esc_attr() is written specifically for escaping a string that is to be used as an html attribute, which means also escaping single and double-quote characters etc. In general, it’s better to use the data validation API that WP provides rather than the generic PHP functions.
That is correct, the updating in the Admin section does not change the & to & while the wp_update_post() function (which can be found under /wp-includes/post.php on line 3772) does but only when the user does not have the capability unfiltered_html, let me explain how I found this out, and what I recommend. I did … Read more
Escaping is used to produce valid HTML or other formats, and it depends on context. Escaping a url in something like <a href=”https://wordpress.stackexchange.com/questions/215822/<?php echo $url?>”…. is needed in order to replace any “&” characters with & (although browsers will most likely fix it for you if you don’t do it). Escaping a url in an … Read more