While this is probably a duplicate of What’s the difference between esc_html, esc_attr, esc_html_e, and so on? I’m going to go ahead and provide an answer anyway, since as @cag8f indicated, there’s not an accepted answer on that question (but I’ll add that I think Tom’s answer there tells you what you need to know). … Read more
Yes! You should always be escaping Escape Late, Escape Often Escaping is about intent, if you intend to output a URL, use esc_url, and it will definately be a URL ( if the data is malicious it will be made safe ) What I still wonder is should I always use esc_attr in HTML fields, … Read more
I figured out a solution to my question. First of all, in my original query, I should have specified OR instead of AND for searching between group names and group descriptions. (It was skewing the results.) And I needed to double escape my ‘%’s in the LIKE statements. Here is the updated query which works … Read more
What you (and probably 99% of the theme authors) are trying to do is just wrong. Users should not be expected to know CSS to customize a theme, and if they do need to go into such a low level, the right thing for them to do is to create a child theme and insert … Read more
General difference between esc_attr and esc_attr_* The difference between esc_attr() and esc_attr__(), esc_attr_e(), esc_attr_x() is that the later three are just “wrappers” or in other words higher level API functions. When you look at the source of the later three, then you’ll see that those put in a single argument wrapped in a call to … Read more
The function for the pre_get_posts action uses a WP_Query object (http://codex.wordpress.org/Plugin_API/Action_Reference/pre_get_posts) When using functions such as get_posts or classes such as WP_Query and WP_User_Query, WordPress takes care of the necessary sanitization in querying the database. However, when retrieving data from a custom table, or otherwise performing a direct SQL query on the database – proper … Read more
Let’s go and see what would core do. In default-filters.php here is what content output passes through: add_filter( ‘the_content’, ‘wptexturize’ ); add_filter( ‘the_content’, ‘convert_smilies’ ); add_filter( ‘the_content’, ‘convert_chars’ ); add_filter( ‘the_content’, ‘wpautop’ ); add_filter( ‘the_content’, ‘shortcode_unautop’ ); add_filter( ‘the_content’, ‘prepend_attachment’ ); None of these are dedicated security/escaping functions really. It is similar for comments, which … Read more
esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively). esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with … Read more
Any that return data. If a function outputs internally, then it’s taken responsibility for escaping if a function returns the data for use, it will be unescaped to avoid double escaping, it’s your responsibility This is because you should always late escape so that there is no doubt if a variable is escaped. If the … Read more
Since esc_html_e will escape HTML link (hence will show the HTML anchor as plain text), you’ll need to segment the text and escape the non-HTML part with esc_html_e or esc_html__, and print the HTML LINK part without HTML escaping. Method-1 (just for your understanding): You may do it in parts, like this: esc_html_e( ‘Dear Guest, … Read more