If it is not HTML, it does not need HTML escaping, if it is not JS, it does not need JS escaping. All escaping is context based. In general You should probably just avoid sending “text” in response and focus on sending data which is “converted” into whatever is the relevant DOM structures, either directly … Read more
The reason you escape attributes is to make sure that the values don’t have any characters that will break the HTML of the element. For example, if you didn’t escape: $attr=”foo”> <script>alert(“Bad!”);</script>”; Then this: <div class=”<?php echo $attr; ?>”></div> Would output: <div class=”foo”> <script>alert(“Bad!”);</script>”</div> Which would let the script run. So wp_kses_post() is completely wrong … Read more
Some screen readers read the title attribute plus the link text – so those visitors would hear “Hello world! Hello world!” – so unless your real title attribute is different than the link text and provides additional context to users of screen readers, you may wish to just not use the title attribute. Or, you … Read more
This seems to have done the trick: // Display our list of font options $allowed_html = array( ‘option’ => array( ‘value’ => array(), ‘selected’ => array() ), ); echo wp_kses($fontListStr, $allowed_html);
There are several issues here: echo esc_attr_e should be just esc_attr_e, the _e means it already echo’s esc_attr_e is not just an escaping function, it’s a localisation API, it’s shorthand for echo esc_attr( __( esc_attr strips out HTML, it’s intended for use inside HTML attributes where HTML tags are not allowed. You must never pass … Read more
The simple answer appears to be human error. Originally, during development, Twenty Twenty One had one menu, registered like this: ‘primary’ => __( ‘Primary Navigation’, ‘twentytwentyone’ ), Then somebody went through and added escaping to many __() throughout the theme, resulting in this: ‘primary’ => esc_html__( ‘Primary Navigation’, ‘twentytwentyone’ ), Then, later on, a second … Read more
I would suggest using esc_html instead of esc_attr for that, e.g. <a href=”https://wordpress.stackexchange.com/questions/185318/<?php echo esc_url( $url );?>” class=”<?php echo esc_attr( $classes ); ?>”> <?php echo esc_html( $title ); ?> </a> <div> <?php echo wp_kses_post( $html_with_safe_tags );?> </div> <script> <?php echo wp_json_encode( $data_for_js ); ?> </script> There is also: esc_html__ esc_attr__ etc ( escape translations too! … Read more
Use get_search_query or the_search_query to return/output the search term as a properly escaped value, don’t access $_GET directly. You’re trying to escape something that’s already URLencoded.
not sure the difference but I used   for adding a white space ..then passed it through wp_kses() The correct HTML entity for a non-breaking space is — note the ; which is required and without it (i.e.  ), the entity is not valid and when used with wp_kses(), you’d get &nbsp instead of … Read more
Yes, you do. Even if you have sanitised the value when saving it, you should always escape on output. <a href=”https://wordpress.stackexchange.com/questions/355618/<?php echo esc_url( get_theme_mod(“url’ ) ); ?>”> If you’re outputting a mailto: link to an email address, you also need to escape this with esc_url(), just make sure that the mailto: part is included in … Read more