escaping - Read For Learn

Should HTML output be passed through esc_html() AND wp_kses()?

The general rule, at least as espoused by Mark Jaquith, is sanitize on input, escape on output (the corollary to this rule being sanitize early, escape late). So: use sanitization filters (such as the kses() family) when storing untrusted data in the database, and use escaping filters (i.e. the esc_*() family) when outputting untrusted data … Read more

Should I escape wordpress functions like the_title, the_excerpt, the_content

Escaping depends entirely on the context in which you are using the functions. What is safe for displaying inside <h1> tags, is not necessarily safe to display for the value attribute of an input field, and even that wouldn’t necessarily be safe as a href attribute value…. In short – perform the sanitisation yourself as … Read more

What’s the difference between esc_html, esc_attr, esc_html_e, and so on?

esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won’t be interpreted by the browser as an actual script tag. Use this … Read more

With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?

I think I found it. Problem (bug): http://core.trac.wordpress.org/ticket/18322 Solution: http://codex.wordpress.org/Function_Reference/stripslashes_deep Note: As suggested by @Alexandar O’Mara, you might want to reconsider overwriting the superglobals like this. If it’s appropriate for your situation, for example, you might just “strip locally” using an alternative like $post = array_map(‘stripslashes_deep’, $_POST); Also see @quickshiftin’s excellent answer.

Unrecognized escape sequence for path string containing backslashes

You can either use a double backslash each time or use the @ symbol

How do I escape ampersands in XML so they are rendered as entities in HTML?

When your XML contains &amp;, this will result in the text &. When you use that in HTML, that will be rendered as &.

How do I use spaces in the Command Prompt?

Single quotation marks won’t do in that case. You have to add quotation marks around each path and also enclose the whole command in quotation marks:

What’s the Use of ‘\r’ escape sequence?

\r is a carriage return character; it tells your terminal emulator to move the cursor at the start of the line. The cursor is the position where the next characters will be rendered. So, printing a \r allows to override the current line of the terminal emulator. Tom Zych figured why the output of your … Read more

Escaping HTML strings with jQuery

Since you’re using jQuery, you can just set the element’s text property:

Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )

You need to escape the “\” in the file path.

+ More