Should you escape these? $date_format=”Y/m/d”; $time_format = get_option( ‘time_format’ ); No. That would be early escaping! Early escaping is very bad! However, should you escape this? echo'<td>’.$date .’ ‘.$time.'</td>’; YES. Escaping is not about wether it’s needed or not, if you ever find yourself saying “It shouldn’t be a problem because it’s always a” stop … Read more
If I put <script>alert(‘hello’);</script> in the title of a WordPress page with the default theme the script runs. This is expected behaviour. HTML is typically allowed in titles in WordPress. The standard WordPress function, the_title(), does not escape the title. If you don’t want to allow script tags then you need to sanitize the input … Read more
The point of escaping is to make sure that when a value is output, it cannot output anything malicious, or that would just break the markup of the page. For example, when outputting a variable, you will want to escape certain characters so that the value can’t unintentionally open or close HTML tags, which could … Read more
I had to ask to finally find the solution, lol. The wp_kses do exactly that: $allowed_tags = array( ‘a’ => array( ‘href’ => array(), ), ); $content=”<a href=”#”>link</a> <b>strong text</b>”; $content = wp_kses($content, $allowed_tags); I found the solution in another topic
Here’s just a few examples of what escaping looks like: Escaping URLS: <?php echo esc_url( home_url() ); ?> Escaping Content <?php echo esc_html( get_the_title() ); ?> Escaping Attributes <?php echo esc_attr( $my_class ); ?> Escaping Content but keep HTML <?php echo wp_kses_post( get_the_content() ); ?> Escaping Emails <?php echo sanitize_email( $email_address ) ); ?> For … Read more
Well, esc_html() doesn’t echo/display the return value (escaped string), so you need to call echo manually: echo esc_html( $FileContents ); Update If you actually want to filter the list of allowed HTML tags in the variable’s value, then you can use the WordPress’ KSES functions like wp_kses_post() and wp_kses_data(): echo wp_kses_post( $FileContents ); echo wp_kses_data( … Read more
wp_kses_post escaping doesn’t appear to work as described?
No other value can be used in place of display and db. WordPress just check for value display and convert & and ‘quotes to HTML entities (Including all other characters). If you pass db it is just skip this block of code. However, WordPress recommends to use esc_url_raw() instead of passing third argument. You can … Read more
Not necessarily. They do different things. wp_strip_all_tags() strips HTML tags from a given string, but that’s not the only reason you escape things. esc_attr(), for example, ensures that ” characters are escaped so that a value doesn’t break HTML attributes. For example, if I have a variable whose value is the string my-“class, and I … Read more
wp_kses You could use wp_kses to define specific html-tag/attribute combinations to be permitted in the escaped output. $allowed_html = [ ‘div’ => [ ‘class’ => [], ], ]; echo wp_kses( ‘<div class=”whatever”>hey</div>’, $allowed_html ); wp_kses_post You could use wp_kses_post. It’s a pretty heavy function to use for such a purpose, but it is a valid … Read more