You cannot use constants or anything other than actual strings with translation functions. This is because the code that reads your code, and produces the translatable strings does not actually run your code, it is reading your code. Here is a more detailed post on the topic: http://ottopress.com/2012/internationalization-youre-probably-doing-it-wrong/ But the short version is this: This … Read more
WordPress has a baked in solution: esc_html__( string $text, string $domain = ‘default’ ) You can use that to replace __() and __x() but the second one looks for contextual translations where you specify the context for the string being translated. The codex for it is right here: https://developer.wordpress.org/reference/functions/esc_html__/
Perhaps because the entity is a non-UTF8 character? Here’s what esc_html() does: function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( ‘esc_html’, $safe_text, $text ); } If not that, then it’s getting sanitized when filtered by _wp_specialchars(), which does double-encoding(by default,no) and all sorts of things. … Read more
Consider something like the following: echo esc_html( sprintf( _nx( ‘%1$s Comment on “%2$s”’, ‘%1$s Comments on “%2$s”’, $comment_count, ‘Comments Title’, ‘theme-text-domain’ ), number_format_i18n( $comment_count ), get_the_title() ) ); Where you build the entire string with sprintf and escape that. The coding standards are clear that you should always escape output, and do so as late … Read more
The _e() function displays a translated string; so 1) You’re actually echoing a dynamic text; and 2) Yes, you should escape a translated string. Relevant excerpt taken from the internationalization security guide in the Plugin Handbook: Escape Internationalized Strings You can’t trust that a translator will only add benign text to their localization; if they … Read more
I’m pretty sure you have to explicitly name all allowed attributes – just use: $allowedposttags[‘iframe’] = array ( ‘align’ => true, ‘frameborder’ => true, ‘height’ => true, ‘width’ => true, ‘sandbox’ => true, ‘seamless’ => true, ‘scrolling’ => true, ‘srcdoc’ => true, ‘src’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true, ‘border’ … Read more
esc_attr() is written specifically for escaping a string that is to be used as an html attribute, which means also escaping single and double-quote characters etc. In general, it’s better to use the data validation API that WP provides rather than the generic PHP functions.
While this is probably a duplicate of What’s the difference between esc_html, esc_attr, esc_html_e, and so on? I’m going to go ahead and provide an answer anyway, since as @cag8f indicated, there’s not an accepted answer on that question (but I’ll add that I think Tom’s answer there tells you what you need to know). … Read more
Yes! You should always be escaping Escape Late, Escape Often Escaping is about intent, if you intend to output a URL, use esc_url, and it will definately be a URL ( if the data is malicious it will be made safe ) What I still wonder is should I always use esc_attr in HTML fields, … Read more
The function for the pre_get_posts action uses a WP_Query object (http://codex.wordpress.org/Plugin_API/Action_Reference/pre_get_posts) When using functions such as get_posts or classes such as WP_Query and WP_User_Query, WordPress takes care of the necessary sanitization in querying the database. However, when retrieving data from a custom table, or otherwise performing a direct SQL query on the database – proper … Read more