WordPress has a baked in solution: esc_html__( string $text, string $domain = ‘default’ ) You can use that to replace __() and __x() but the second one looks for contextual translations where you specify the context for the string being translated. The codex for it is right here: https://developer.wordpress.org/reference/functions/esc_html__/
Perhaps because the entity is a non-UTF8 character? Here’s what esc_html() does: function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( ‘esc_html’, $safe_text, $text ); } If not that, then it’s getting sanitized when filtered by _wp_specialchars(), which does double-encoding(by default,no) and all sorts of things. … Read more
Consider something like the following: echo esc_html( sprintf( _nx( ‘%1$s Comment on “%2$s”’, ‘%1$s Comments on “%2$s”’, $comment_count, ‘Comments Title’, ‘theme-text-domain’ ), number_format_i18n( $comment_count ), get_the_title() ) ); Where you build the entire string with sprintf and escape that. The coding standards are clear that you should always escape output, and do so as late … Read more
The _e() function displays a translated string; so 1) You’re actually echoing a dynamic text; and 2) Yes, you should escape a translated string. Relevant excerpt taken from the internationalization security guide in the Plugin Handbook: Escape Internationalized Strings You can’t trust that a translator will only add benign text to their localization; if they … Read more
I’m pretty sure you have to explicitly name all allowed attributes – just use: $allowedposttags[‘iframe’] = array ( ‘align’ => true, ‘frameborder’ => true, ‘height’ => true, ‘width’ => true, ‘sandbox’ => true, ‘seamless’ => true, ‘scrolling’ => true, ‘srcdoc’ => true, ‘src’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true, ‘border’ … Read more
esc_attr() is written specifically for escaping a string that is to be used as an html attribute, which means also escaping single and double-quote characters etc. In general, it’s better to use the data validation API that WP provides rather than the generic PHP functions.
While this is probably a duplicate of What’s the difference between esc_html, esc_attr, esc_html_e, and so on? I’m going to go ahead and provide an answer anyway, since as @cag8f indicated, there’s not an accepted answer on that question (but I’ll add that I think Tom’s answer there tells you what you need to know). … Read more
Yes! You should always be escaping Escape Late, Escape Often Escaping is about intent, if you intend to output a URL, use esc_url, and it will definately be a URL ( if the data is malicious it will be made safe ) What I still wonder is should I always use esc_attr in HTML fields, … Read more
The function for the pre_get_posts action uses a WP_Query object (http://codex.wordpress.org/Plugin_API/Action_Reference/pre_get_posts) When using functions such as get_posts or classes such as WP_Query and WP_User_Query, WordPress takes care of the necessary sanitization in querying the database. However, when retrieving data from a custom table, or otherwise performing a direct SQL query on the database – proper … Read more
stripslashes(wp_filter_post_kses(addslashes($_POST[‘sidebar_code’]))); but you should know that the kses filter is not 100% safe.