Consider something like the following: echo esc_html( sprintf( _nx( ‘%1$s Comment on “%2$s”’, ‘%1$s Comments on “%2$s”’, $comment_count, ‘Comments Title’, ‘theme-text-domain’ ), number_format_i18n( $comment_count ), get_the_title() ) ); Where you build the entire string with sprintf and escape that. The coding standards are clear that you should always escape output, and do so as late … Read more
The _e() function displays a translated string; so 1) You’re actually echoing a dynamic text; and 2) Yes, you should escape a translated string. Relevant excerpt taken from the internationalization security guide in the Plugin Handbook: Escape Internationalized Strings You can’t trust that a translator will only add benign text to their localization; if they … Read more
I’m pretty sure you have to explicitly name all allowed attributes – just use: $allowedposttags[‘iframe’] = array ( ‘align’ => true, ‘frameborder’ => true, ‘height’ => true, ‘width’ => true, ‘sandbox’ => true, ‘seamless’ => true, ‘scrolling’ => true, ‘srcdoc’ => true, ‘src’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true, ‘border’ … Read more
esc_attr() is written specifically for escaping a string that is to be used as an html attribute, which means also escaping single and double-quote characters etc. In general, it’s better to use the data validation API that WP provides rather than the generic PHP functions.
While this is probably a duplicate of What’s the difference between esc_html, esc_attr, esc_html_e, and so on? I’m going to go ahead and provide an answer anyway, since as @cag8f indicated, there’s not an accepted answer on that question (but I’ll add that I think Tom’s answer there tells you what you need to know). … Read more
Yes! You should always be escaping Escape Late, Escape Often Escaping is about intent, if you intend to output a URL, use esc_url, and it will definately be a URL ( if the data is malicious it will be made safe ) What I still wonder is should I always use esc_attr in HTML fields, … Read more
The function for the pre_get_posts action uses a WP_Query object (http://codex.wordpress.org/Plugin_API/Action_Reference/pre_get_posts) When using functions such as get_posts or classes such as WP_Query and WP_User_Query, WordPress takes care of the necessary sanitization in querying the database. However, when retrieving data from a custom table, or otherwise performing a direct SQL query on the database – proper … Read more
stripslashes(wp_filter_post_kses(addslashes($_POST[‘sidebar_code’]))); but you should know that the kses filter is not 100% safe.
The general rule, at least as espoused by Mark Jaquith, is sanitize on input, escape on output (the corollary to this rule being sanitize early, escape late). So: use sanitization filters (such as the kses() family) when storing untrusted data in the database, and use escaping filters (i.e. the esc_*() family) when outputting untrusted data … Read more
The MySQL documentation you cite actually says a little bit more than you mention. It also says, A “’” inside a string quoted with “’” may be written as “””. (Also, you linked to the MySQL 5.0 version of Table 8.1. Special Character Escape Sequences, and the current version is 5.6 — but the current Table 8.1. Special Character … Read more