This was a case of UTF-8 character encoding taking over the presentational view of your browser and converting those HTML entities into their counter parts, human readable text. After all, you might have very well wanted a string that looked like; “BLA for some reason or another to the eyes of your viewer instead of … Read more
Using a snippet of code like this: $hook_name=”the_content”; global $wp_filter; var_dump($wp_filter[$hook_name]); I was able to find a list of all hooked callback functions to the WordPress filter: the_content. I then located a few possible culprits, then searched for their function existence. After narrowing down my list, I came to the conclusion on the hooked callback … Read more
like_escape() only escapes % and _ characters. The entire function looks like this: function like_escape($text) { return str_replace(array(“%”, “_”), array(“\\%”, “\\_”), $text); } Quoting from the Codex, esc_attr() Encodes the <, >, &, ” and ‘ (less than, greater than, ampersand, double quote and single quote) characters. Will never double encode entities. Always use when … Read more
The Problem This turned out to be a common case of needing to use stripslashes();. How did I figure this out? I logged into phpMyAdmin, navigated to the options table, found my option name, and edited it. Here’s what I discovered… s:11:”description”;s:90:”<span style=\”text-decoration: underline;\”>This is supposed to be underlined text.</span>”; So obviously my plugin is … Read more
Right, so it will simply do its best to close any unclosed tag – that’s it. Nothing more. As you can see if you look at the source code, all the function does is make sure to balance out the tags that might not be. It’s also explained in the codex. (“force_balance_tags” is the real … Read more
The possible output of base64_encode() contains a-zA-Z0-9+/ and possibly = or == appended. Testing with $str=”abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=”; we find that: esc_attr( $str ) === $str is true, so it looks like esc_attr() preserves base64 encoded strings. There are possible regexes to help with validation, but according to this answer by @BoltClock, we could check it with … Read more
Based on WordPress documentation for esc_attr function, it is returning a string value. So, If you need to have the integer value, you need using intval function. But, when you want to display that value or put it as part of markup, it doesn’t make sense. Escape functions are useful for outputting and printing values. … Read more
The WordPress Coding Standards sniffs treat do_shortcode() as an “autoescaped function”. This appears to have been discussed in 2015 in these GitHub issues: https://github.com/WordPress/WordPress-Coding-Standards/issues/167 https://github.com/WordPress/WordPress-Coding-Standards/issues/428 The explanation used when it was added to the list was: I discussed this with VIP support (#44195). David, after conferring with another team member, said that it’s unnecessary, as … Read more
Yep, you can escape it as normal HTML, like so: <?php echo esc_html( $email ); ?> For the mailto link, you can use esc_url. Just make sure you include mailto: into the URL, e.g.: <a href=”<?php echo esc_url( ‘mailto:’ . $email ); ?>”> So a fully escaped mail link would look like this: <a href=”<?php … Read more
Always escape output unless you have a great reason not to. The main thing that you lose when escaping translated strings is the ability to use html tags and html entities in the original string and translations, but you should probably not get into a situation in which translators are required to know html just … Read more