esc_attr() is written specifically for escaping a string that is to be used as an html attribute, which means also escaping single and double-quote characters etc. In general, it’s better to use the data validation API that WP provides rather than the generic PHP functions.
That is correct, the updating in the Admin section does not change the & to & while the wp_update_post() function (which can be found under /wp-includes/post.php on line 3772) does but only when the user does not have the capability unfiltered_html, let me explain how I found this out, and what I recommend. I did … Read more
Escaping is used to produce valid HTML or other formats, and it depends on context. Escaping a url in something like <a href=”https://wordpress.stackexchange.com/questions/215822/<?php echo $url?>”…. is needed in order to replace any “&” characters with & (although browsers will most likely fix it for you if you don’t do it). Escaping a url in an … Read more
The security risk here is not about the plain text but about translation. You should note that esc_html_e is not only a function for escaping HTML but also for localization (l10n). I.e. other people can translate this String but you don’t know what the translation would be. It is possible that somebody translates the String … Read more
Yes it does. Escaping depends on context and in worst case like using esc_html when writing directly to the DB are just a security hole. Even if there is no security issue, there is theoretical one. The user asked you to store A, and you are storing B. In a simple cases B is exactly … Read more
I just installed SyntaxHighlighter Evolved, and while testing on an existing post I was dismayed to find that all the quotes ” had been converted to " (the single quotes were fine). I was using the HTML editor. In case you are also in this position, I found that it’s just the post preview that … Read more
You are looking for wp_kses(). https://developer.wordpress.org/reference/functions/wp_kses/ There are more helper functions like wp_kses_post() and wp_kses_data()
You can look at the Codex. Encodes < > & ” ‘ (less than, greater than, ampersand, double quote, single quote). Will never double encode entities. Given that, arguably, both of those strings need sanitization. Imagine a site name like >> “My” Website’s Great Title <<” Also, since you are using this in Javascript, you … Read more
No, escaping should happen at the moment of output ( late escaping ) so that we know that it only occurs once. Double escaping can allow specially crafted output to break out. By escaping, we’re talking about functions such as esc_html, wp_kses_post, esc_url, etc. Sanitizing functions and validating functions are not the same, e.g. sanitize_textfield. … Read more
Note that the WPCS standards for PHPCS are not “official”. I am one of the maintainers, and all that we can do is to do our best to match the standards that WordPress suggests. In this case, I’m unsure how you would escape the output from wp_oembed_get(). The function may indeed need to be escaped … Read more