Not necessarily. They do different things. wp_strip_all_tags() strips HTML tags from a given string, but that’s not the only reason you escape things. esc_attr(), for example, ensures that ” characters are escaped so that a value doesn’t break HTML attributes. For example, if I have a variable whose value is the string my-“class, and I … Read more
A tool like PHP CodeSniffer, combined with the WordPress Coding Standards can be used to warn you if values are not being escaped. These warnings can be shown in the editor if the editor has a PHPCS extension of some kind (VS Code does, but I’m not sure about PhpStorm). With PHPCS it’s possible to … Read more
You probably wouldn’t. If you did it would be to make sure it was in place already if in future you decided to make the variable dynamic or filterable. In this case I would suggest it for similar reasons to #1. You may know where $class is coming from now, but this may change in … Read more
According to the developers handbook, these are the functions that should be used when outputting anything: esc_attr() // Use on everything else that’s printed into an HTML element’s attribute. esc_html() // Use anytime an HTML element encloses a section of data being displayed. esc_js() // Use for inline Javascript. esc_textarea() // Use this to encode … Read more
No, you don’t have to escape values that cannot be changed by someone else. You should escape output that might be changed by some other source, for example if there is a filter running on the values. Let’s say you are using wp_upload_dir() to find the upload directory – and you absolutely should, because the … Read more
wp_kses You could use wp_kses to define specific html-tag/attribute combinations to be permitted in the escaped output. $allowed_html = [ ‘div’ => [ ‘class’ => [], ], ]; echo wp_kses( ‘<div class=”whatever”>hey</div>’, $allowed_html ); wp_kses_post You could use wp_kses_post. It’s a pretty heavy function to use for such a purpose, but it is a valid … Read more
Try stripslashes. See the php documentation. To clarify, the slashes are inserted to escape the content prior to insertion into the database. You should use the above function when you want to display the content.
YES. You always escape output that originally comes from user submitted data. To be safe, you always escape variable output, period.
The only way I can see for getting this to work is running the output through html_entity_decode() and stripslashes() and saving it with esc_attr(): Saving the term: $wpdb->update( $wpdb->term_taxonomy, array( ‘description’ => esc_attr( $_POST[‘_term_desc’] ) ), array( ‘term_id’ => $term_id ) ); Showing the term on the front end: echo apply_filters( ‘the_content’, html_entity_decode( stripslashes( $term->description … Read more
When you register a setting, you pass the santize callback for that setting: register_setting( ‘my_setting_group’, ‘my_setting_name’, // The next parameter is the validation callback ‘my_setting_validation’ ); Then, in the validation callback you can allow whatever you want. For example, in the next code snippet, users with unfiltered_html capability will be allowed to insert raw HTML … Read more