esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively). esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with … Read more
Any that return data. If a function outputs internally, then it’s taken responsibility for escaping if a function returns the data for use, it will be unescaped to avoid double escaping, it’s your responsibility This is because you should always late escape so that there is no doubt if a variable is escaped. If the … Read more
Since esc_html_e will escape HTML link (hence will show the HTML anchor as plain text), you’ll need to segment the text and escape the non-HTML part with esc_html_e or esc_html__, and print the HTML LINK part without HTML escaping. Method-1 (just for your understanding): You may do it in parts, like this: esc_html_e( ‘Dear Guest, … Read more
From the Codex entry for Data Validation: URLs: esc_url( $url, (array) $protocols = null ) (since 2.8) Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, … Read more
There’s some confusion here, because not all of these are validation, there are 2 others that are necessary to understand what’s appropriate: validation sanitisation escaping Sanitisation Sanitisation makes things clean and well formed This cleans up the data, e.g. trimming trailing spaces, removing letters in a number field, making an all lowercase field all lowercase, … Read more
Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer Here is an example of how this could be used: // Now do what you want with your clean SVG/XML data function your_save_meta( $post_id, $post, $update ) { // – Update the post’s metadata. if ( … Read more
It would appear that out of the box, there isn’t a difference function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); /** * Filters a string cleaned and escaped for output in HTML. * * Text passed to esc_html() is stripped of invalid or special characters * before … Read more
stripslashes(wp_filter_post_kses(addslashes($_POST[‘sidebar_code’]))); but you should know that the kses filter is not 100% safe.
We have to look a bit deeper here to get an answer to your question. So, bloginfo is a simple wrapper around get_bloginfo. <?php function bloginfo( $show=” ) { echo get_bloginfo( $show, ‘display’ ); } Notice the second argument display. Let’s see what that does. <?php function get_bloginfo( $show = ”, $filter=”raw” ) { // … Read more
That’s question is only relevant, because WordPress use a mix from a coding language and layout language. If you would use a template language, syntax, than is this topic not relevant. But to your question. If you use your example source for a Theme, much more layout language like html, then I prefer the first … Read more