The best practice in the WordPress world is to “escape late” i.e. at the point of output. While the two examples are effectively the same, the first one would be more effective if that code is ever refactored and the value of $portf_icon changes between where it’s first assigned & where it’s output.
Meta data keys do not have to be unique, you can have multiple rows of the same key, each containing singular values. If you use get_post_meta to fetch a key and don’t set the 3rd argument to true, the function gets all the individual values and returns them as an array, which is not the … Read more
Another solution would be to put the style directly in the header, and only put the escaped values in, which would solve the double quote issue, but in the case that no styling has been set I’m left with an empty style in my element, and that also seems kinda unnecessary. You could e.g. check … Read more
I’m the original author of that article, hopefully I can elaborate on my point (“Rule 4”). The ‘data’ in this case is the value entered by the user: $raw = ‘<textarea name=”my-textarea”></textarea> Hello World’; There are two contexts in which we display this data in some form: The front-end view, where we wish to render … Read more
It depends on the context. In a template you’d just echo it: <div> <?php echo parse_html_for_images(); ?> </div> In a function you might want to concatenate it with something else: function wpse_303376_thumbnail() { return ‘<div>’ . parse_html_for_images() . ‘</div>’; } In a shortcode callback with lots other markup you might want to use output buffering, … Read more
WordPress always adds magic quotes regardless of server settings. This ensures consistency regardless of the environment. Even though magic quotes has been removed or deprecated from PHP, WordPress keeps this behaviour for backwards compatibility with older versions of PHP and plugins that were written with older versions of PHP in mind. If you want to … Read more
Yes, it’s a good practice to sanitize input and escape output. It’s important to use the correct function, though, so that you don’t inadvertently mess up your data. Since it’s for a URL, use esc_url_raw() (it is specifically for db usage). (Note: it may seem odd using a function with the “esc_” stem for sanitizing, … Read more
Regarding the edited question, here’s another old Q&A, which might actually be a better reference, Should I sanitize an email address before passing it to the is_email() function?, especially @kaiser’s answer. And regarding kaiser’s Funny sidefact now as I had a look at the sources for both functions (is_email(), sanitize_email()), they are indeed basically the … Read more
This seems to have done the trick: // Display our list of font options $allowed_html = array( ‘option’ => array( ‘value’ => array(), ‘selected’ => array() ), ); echo wp_kses($fontListStr, $allowed_html);
The proper way to do that is using filter_input(). Here is an example for using a custom sanitize function: $tab = filter_input( INPUT_GET, ‘tab’, FILTER_CALLBACK, [‘options’ => ‘esc_html’] ); $tab = $tab ?: ‘front_page_options’;