According to the developers handbook, these are the functions that should be used when outputting anything: esc_attr() // Use on everything else that’s printed into an HTML element’s attribute. esc_html() // Use anytime an HTML element encloses a section of data being displayed. esc_js() // Use for inline Javascript. esc_textarea() // Use this to encode … Read more
No, you don’t have to escape values that cannot be changed by someone else. You should escape output that might be changed by some other source, for example if there is a filter running on the values. Let’s say you are using wp_upload_dir() to find the upload directory – and you absolutely should, because the … Read more
wp_kses You could use wp_kses to define specific html-tag/attribute combinations to be permitted in the escaped output. $allowed_html = [ ‘div’ => [ ‘class’ => [], ], ]; echo wp_kses( ‘<div class=”whatever”>hey</div>’, $allowed_html ); wp_kses_post You could use wp_kses_post. It’s a pretty heavy function to use for such a purpose, but it is a valid … Read more
Try stripslashes. See the php documentation. To clarify, the slashes are inserted to escape the content prior to insertion into the database. You should use the above function when you want to display the content.
YES. You always escape output that originally comes from user submitted data. To be safe, you always escape variable output, period.
The only way I can see for getting this to work is running the output through html_entity_decode() and stripslashes() and saving it with esc_attr(): Saving the term: $wpdb->update( $wpdb->term_taxonomy, array( ‘description’ => esc_attr( $_POST[‘_term_desc’] ) ), array( ‘term_id’ => $term_id ) ); Showing the term on the front end: echo apply_filters( ‘the_content’, html_entity_decode( stripslashes( $term->description … Read more
When you register a setting, you pass the santize callback for that setting: register_setting( ‘my_setting_group’, ‘my_setting_name’, // The next parameter is the validation callback ‘my_setting_validation’ ); Then, in the validation callback you can allow whatever you want. For example, in the next code snippet, users with unfiltered_html capability will be allowed to insert raw HTML … Read more
If it is not HTML, it does not need HTML escaping, if it is not JS, it does not need JS escaping. All escaping is context based. In general You should probably just avoid sending “text” in response and focus on sending data which is “converted” into whatever is the relevant DOM structures, either directly … Read more
The reason you escape attributes is to make sure that the values don’t have any characters that will break the HTML of the element. For example, if you didn’t escape: $attr=”foo”> <script>alert(“Bad!”);</script>”; Then this: <div class=”<?php echo $attr; ?>”></div> Would output: <div class=”foo”> <script>alert(“Bad!”);</script>”</div> Which would let the script run. So wp_kses_post() is completely wrong … Read more
Some screen readers read the title attribute plus the link text – so those visitors would hear “Hello world! Hello world!” – so unless your real title attribute is different than the link text and provides additional context to users of screen readers, you may wish to just not use the title attribute. Or, you … Read more