Some screen readers read the title attribute plus the link text – so those visitors would hear “Hello world! Hello world!” – so unless your real title attribute is different than the link text and provides additional context to users of screen readers, you may wish to just not use the title attribute. Or, you … Read more
There are several issues here: echo esc_attr_e should be just esc_attr_e, the _e means it already echo’s esc_attr_e is not just an escaping function, it’s a localisation API, it’s shorthand for echo esc_attr( __( esc_attr strips out HTML, it’s intended for use inside HTML attributes where HTML tags are not allowed. You must never pass … Read more
The simple answer appears to be human error. Originally, during development, Twenty Twenty One had one menu, registered like this: ‘primary’ => __( ‘Primary Navigation’, ‘twentytwentyone’ ), Then somebody went through and added escaping to many __() throughout the theme, resulting in this: ‘primary’ => esc_html__( ‘Primary Navigation’, ‘twentytwentyone’ ), Then, later on, a second … Read more
I would suggest using esc_html instead of esc_attr for that, e.g. <a href=”https://wordpress.stackexchange.com/questions/185318/<?php echo esc_url( $url );?>” class=”<?php echo esc_attr( $classes ); ?>”> <?php echo esc_html( $title ); ?> </a> <div> <?php echo wp_kses_post( $html_with_safe_tags );?> </div> <script> <?php echo wp_json_encode( $data_for_js ); ?> </script> There is also: esc_html__ esc_attr__ etc ( escape translations too! … Read more
not sure the difference but I used   for adding a white space ..then passed it through wp_kses() The correct HTML entity for a non-breaking space is — note the ; which is required and without it (i.e.  ), the entity is not valid and when used with wp_kses(), you’d get &nbsp instead of … Read more
Yes, you do. Even if you have sanitised the value when saving it, you should always escape on output. <a href=”https://wordpress.stackexchange.com/questions/355618/<?php echo esc_url( get_theme_mod(“url’ ) ); ?>”> If you’re outputting a mailto: link to an email address, you also need to escape this with esc_url(), just make sure that the mailto: part is included in … Read more
It’s okay to use it more than once, but not encouraged. However, in your first example, you’re saving the URL to the database. When you do that, or when using the URL in the wp_remote_* context, or a redirect, or any other non-display context, you should be using esc_url_raw() instead. Also note that get_post_meta will … Read more
You cannot use constants or anything other than actual strings with translation functions. This is because the code that reads your code, and produces the translatable strings does not actually run your code, it is reading your code. Here is a more detailed post on the topic: http://ottopress.com/2012/internationalization-youre-probably-doing-it-wrong/ But the short version is this: This … Read more
WordPress has a baked in solution: esc_html__( string $text, string $domain = ‘default’ ) You can use that to replace __() and __x() but the second one looks for contextual translations where you specify the context for the string being translated. The codex for it is right here: https://developer.wordpress.org/reference/functions/esc_html__/
Perhaps because the entity is a non-UTF8 character? Here’s what esc_html() does: function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( ‘esc_html’, $safe_text, $text ); } If not that, then it’s getting sanitized when filtered by _wp_specialchars(), which does double-encoding(by default,no) and all sorts of things. … Read more