These arguments contain arbitrary HTML and cannot be properly escaped. This is essentially a limitation on how Widgets code was designed and you can see in core Widget classes that no escaping is done on these. Lessons to learn: WP core doesn’t consistently adhere to its own coding standards (and getting there isn’t considered worth … Read more
As far as I know wp_localize_script doesn’t escape data any more than is necessary to produce valid JSON, and everything is sent as a string. The function was originally designed to allow translating the strings used in your JS into other languages (hence the “localize” part of the function name). So if the data you’re … Read more
I’m not sure if this is a bug, but it need further investigation. I’ve run a few quick tests on the name field in a tax_query, and whenever a term name has got a special character or have more than one word, the tax_query is excluded from the SQL query TEST 1 I have use … Read more
While this is probably a duplicate of What’s the difference between esc_html, esc_attr, esc_html_e, and so on? I’m going to go ahead and provide an answer anyway, since as @cag8f indicated, there’s not an accepted answer on that question (but I’ll add that I think Tom’s answer there tells you what you need to know). … Read more
Yes! You should always be escaping Escape Late, Escape Often Escaping is about intent, if you intend to output a URL, use esc_url, and it will definately be a URL ( if the data is malicious it will be made safe ) What I still wonder is should I always use esc_attr in HTML fields, … Read more
I figured out a solution to my question. First of all, in my original query, I should have specified OR instead of AND for searching between group names and group descriptions. (It was skewing the results.) And I needed to double escape my ‘%’s in the LIKE statements. Here is the updated query which works … Read more
What you (and probably 99% of the theme authors) are trying to do is just wrong. Users should not be expected to know CSS to customize a theme, and if they do need to go into such a low level, the right thing for them to do is to create a child theme and insert … Read more
General difference between esc_attr and esc_attr_* The difference between esc_attr() and esc_attr__(), esc_attr_e(), esc_attr_x() is that the later three are just “wrappers” or in other words higher level API functions. When you look at the source of the later three, then you’ll see that those put in a single argument wrapped in a call to … Read more
The function for the pre_get_posts action uses a WP_Query object (http://codex.wordpress.org/Plugin_API/Action_Reference/pre_get_posts) When using functions such as get_posts or classes such as WP_Query and WP_User_Query, WordPress takes care of the necessary sanitization in querying the database. However, when retrieving data from a custom table, or otherwise performing a direct SQL query on the database – proper … Read more
Let’s go and see what would core do. In default-filters.php here is what content output passes through: add_filter( ‘the_content’, ‘wptexturize’ ); add_filter( ‘the_content’, ‘convert_smilies’ ); add_filter( ‘the_content’, ‘convert_chars’ ); add_filter( ‘the_content’, ‘wpautop’ ); add_filter( ‘the_content’, ‘shortcode_unautop’ ); add_filter( ‘the_content’, ‘prepend_attachment’ ); None of these are dedicated security/escaping functions really. It is similar for comments, which … Read more