What is the difference between esc_html filter vs attribute_escape filter?

It would appear that out of the box, there isn’t a difference

function esc_html( $text ) {
    $safe_text = wp_check_invalid_utf8( $text );
    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
    /**
     * Filters a string cleaned and escaped for output in HTML.
     *
     * Text passed to esc_html() is stripped of invalid or special characters
     * before output.
     *
     * @since 2.8.0
     *
     * @param string $safe_text The text after it has been escaped.
     * @param string $text      The text prior to being escaped.
     */
    return apply_filters( 'esc_html', $safe_text, $text );
}
function esc_attr( $text ) {
    $safe_text = wp_check_invalid_utf8( $text );
    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
    /**
     * Filters a string cleaned and escaped for output in an HTML attribute.
     *
     * Text passed to esc_attr() is stripped of invalid or special characters
     * before output.
     *
     * @since 2.0.6
     *
     * @param string $safe_text The text after it has been escaped.
     * @param string $text      The text prior to being escaped.
     */
    return apply_filters( 'attribute_escape', $safe_text, $text );
}

The only difference between the 2 functions is the filter applied at the end. WordPress doesn’t add anything to these filters, so in a standard WP install they are non-operations. They’re provided in the edge case that somebody might need them.

Quick Q&A

So by default they’re identical?

Yes! The esc_attr and esc_html functions have the same implementation

Are the filters identical?

The only difference is they have different names, they work the same way, they’re used the same way, and neither filter is used in core.

Do the filters do anything?

No! All the escaping is done in the function when wp_check_invalid_utf8 and _wp_specialchars are called.

The filters don’t do the escaping, they’re an opportunity for plugins to do additional checks and processing.

Are there any edge cases?

Only if you use the filters, say you hooked into esc_html but not attribute_escape, or vice versa. For a standard WP install, the 2 functions are identical, with no difference.

Why attribute_escape and not esc_attr?

Backwards compatibility. There used to be an attribute_escape function, which is now marked as deprecated after the esc_ style functions were added.

Why would I use these filters?

¯\_(ツ)_/¯ this would be a rare situation. Some people might abuse it in the same way translation APIs are abused to search replace text. This is already bad practice as those filters get called a lot a small speed loss is magnified thousands of times

But consider that if you’re not careful you may compromise the security of these functions by undoing the escaping they added, or adding unescaped content at the end. For that reason the filters are dangerous.

Do I Need To Worry About This?

No. You only need to worry if you’ve made use of those filters, which by itself should have set off massive red alarms that something in your development went seriously wrong.

The functions esc_attr and esc_html are safe to use, and escape content. You have an ethical and moral obligation to use them if you value the security of your code

Does this mean I should just use esc_html?

No, escaping is all about setting expectations. If you’re expecting an attribute, use esc_attr. Just because it’s functionally the same at the moment, doesn’t mean that won’t change in the future with a security release

Related Posts:

  1. Should I escape wordpress functions like the_title, the_excerpt, the_content
  2. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  3. What’s the difference between esc_* functions?
  4. What to use instead of wp_kses() in user output
  5. How to escape custom css?
  6. Do you need to escape hard coded plain text?
  7. Do I need to use the esc_html() function on hard coded links?
  8. How Could I sanitize the receive data from this code
  9. Something is unescaping all html entities before output to browser [closed]
  10. Do we need to escape data that we receive from theme options?
  11. should I escape a literal url added in functions.php
  12. how to sanitizing $_POST with the correct way?
  13. what is a auth_user_file.txt?
  14. How to view PHP on live site
  15. Is moving wp-config outside the web root really beneficial?
  16. Hide the fact a site is using WordPress?
  17. Verifying that I have fully removed a WordPress hack?
  18. Can I Prevent Enumeration of Usernames?
  19. Best way to eliminate xmlrpc.php?
  20. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  21. Should I remove install.php and install-helper.php?
  22. Are Nonces Useless?
  23. Will there be security updates for 3.1 once 3.2 is released?
  24. How do I technically prove that WordPress is secure?
  25. WordPress it’s cleaning a custom query_var to avoid sql injections?
  26. How do WordPress Nonces Work?
  27. Tips for finding SPAM links injected into the_content
  28. Is WordPress vulnerable to the httpoxy?
  29. How can I easily verify a core or plugin update has not broken anything?
  30. Vanilla WordPress install, what can/should I put in disable_functions?
  31. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  32. Secure my “add_settings_field” translation?
  33. Is there a security risk giving someone temporary access to my blog’s code?
  34. How to properly sanitize/secure a WP Query coming from the front end
  35. WordPress Logout Only If User Click Logout or If User Delete Browser History
  36. How brute-forcer knows that the password is cracked for target username?
  37. wp_insert_post disable HTML filter
  38. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  39. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  40. Completely remove the author url
  41. Restricting access to content
  42. About WordPress site security
  43. Relative security of different releases of WordPress
  44. Escape when echoed
  45. Where to store OAuth 2.0 client id and secret?
  46. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  47. Using HTACCESS for Secret Access
  48. Definitive wordpress directory ownership and permissions on linux
  49. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  50. Changing Table Prefixes – once done, am I good to go going forward?
  51. wordpress website host price and security [closed]
  52. What is the safe way to print tracking code / pixel code before tag or tag
  53. Are there security risks in working directly in the themes folder that builds into a theme folder?
  54. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  55. Changing the default header name
  56. how much information can we hide when using wordpress cms?
  57. Is it safe to use a global wp nonce per user instead of a nonce per action?
  58. Basic password protection without using users and roles
  59. System setting changed by system user
  60. Does meta-data need to be sanitized?
  61. Will there be security updates for WordPress 4.9.9
  62. How to escape multiple attribute at once in WordPress?
  63. Any known bugs that could cause disappearance of the wp_users table?
  64. On new server, site got hacked, permissions a bit strange? Please help
  65. 404/500 error on content images if Referer header is from another domain [closed]
  66. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  67. Restrict Access without Creating Users
  68. Switching between security plugins is a risk?
  69. How to obfuscate wp-config.php or code
  70. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  71. How to prevent to direct access of my custom plugin folder/files
  72. Checking for origin of a xmlrpc request
  73. RESTRICT EDIT of PHP files?
  74. wp-content – permissions for files/folders created by apache
  75. How can I restrict access to specific parts of a page, not just the page itself?
  76. User generated content and security
  77. Are major WordPress updates mandatory for security?
  78. i moved wp-config.php outside of public html and this broke my website
  79. Monitor wordpress all external calls
  80. Is it safe to use the basic administration with reduced rights for private member space
  81. Securing WordPress running on Azure platform
  82. Verifying that I have fully removed a WordPress hack?
  83. Spam Registrations
  84. How can I have more confidence that WP plugins aren’t getting and storing user data?
  85. Standard Method for Securing a WordPress Site
  86. wordpress security (only one part of the site)
  87. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  88. Any way to disable /wp-login.php redirecting to the site folder?
  89. Could a user account with a stolen password compromised entire WP site?
  90. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  91. Secure a WordPress website in 2019: one plugin or a combinations of them?
  92. What are the different types of firewall protections available for a WordPress website?
  93. Is this a WordPress security bug?
  94. Competitor is somehow accessing MetaData on a hidden WordPress site
  95. WordPress Hacks/Defacing [closed]
  96. How do you search for backdoors from the previous IT person?
  97. Possible to change email address in keypair?
  98. Why is SSH password authentication a security risk?
  99. Is wp-cron.php vulnerable to external attacks and how to protect it?
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH

Leave a Comment