Escaping is all about eliminating the need for trust or “it should be an XYZ” and instead guaranteeing it by force that “it will always be an XYZ”. It’s like a cookie cutter, everything will be that shape at the end even if it’s not cookie dough. esc_attr The official docs contain the answer: When … Read more
It is recommended to escape as late as possible, but the function simply adds a trailing slash (/) (after removing existing one, if any), and I noticed core also used trailingslashit( esc_url() ), so I guess that’s how we would do it. But that is not a definitive answer to your question (which is interesting, … Read more
Should you escape these? $date_format=”Y/m/d”; $time_format = get_option( ‘time_format’ ); No. That would be early escaping! Early escaping is very bad! However, should you escape this? echo'<td>’.$date .’ ‘.$time.'</td>’; YES. Escaping is not about wether it’s needed or not, if you ever find yourself saying “It shouldn’t be a problem because it’s always a” stop … Read more
If I put <script>alert(‘hello’);</script> in the title of a WordPress page with the default theme the script runs. This is expected behaviour. HTML is typically allowed in titles in WordPress. The standard WordPress function, the_title(), does not escape the title. If you don’t want to allow script tags then you need to sanitize the input … Read more
The point of escaping is to make sure that when a value is output, it cannot output anything malicious, or that would just break the markup of the page. For example, when outputting a variable, you will want to escape certain characters so that the value can’t unintentionally open or close HTML tags, which could … Read more
I had to ask to finally find the solution, lol. The wp_kses do exactly that: $allowed_tags = array( ‘a’ => array( ‘href’ => array(), ), ); $content=”<a href=”#”>link</a> <b>strong text</b>”; $content = wp_kses($content, $allowed_tags); I found the solution in another topic
Here’s just a few examples of what escaping looks like: Escaping URLS: <?php echo esc_url( home_url() ); ?> Escaping Content <?php echo esc_html( get_the_title() ); ?> Escaping Attributes <?php echo esc_attr( $my_class ); ?> Escaping Content but keep HTML <?php echo wp_kses_post( get_the_content() ); ?> Escaping Emails <?php echo sanitize_email( $email_address ) ); ?> For … Read more
Well, esc_html() doesn’t echo/display the return value (escaped string), so you need to call echo manually: echo esc_html( $FileContents ); Update If you actually want to filter the list of allowed HTML tags in the variable’s value, then you can use the WordPress’ KSES functions like wp_kses_post() and wp_kses_data(): echo wp_kses_post( $FileContents ); echo wp_kses_data( … Read more
wp_kses_post escaping doesn’t appear to work as described?
No other value can be used in place of display and db. WordPress just check for value display and convert & and ‘quotes to HTML entities (Including all other characters). If you pass db it is just skip this block of code. However, WordPress recommends to use esc_url_raw() instead of passing third argument. You can … Read more