When do I need to use esc_attr when using WordPress internal functions

You can look at the Codex.

Encodes < > & ” ‘ (less than, greater than, ampersand, double quote,
single quote). Will never double encode entities.

Given that, arguably, both of those strings need sanitization. Imagine a site name like >> "My" Website's Great Title <<"

Also, since you are using this in Javascript, you should probably be using esc_js instead.

The convention is, “understand how markup works, and how malicious hackers work, and act accordingly.” That is how you know how to use these functions. Also, Trust No One.

See also this article from our member Stephen Harris: Data Sanitization and Validation With WordPress

Related Posts:

  1. Sanitizing, Validating and Escaping in WordPress (Plugin)
  2. Escape when echoed
  3. Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?
  4. How to be escape Variables and options when echo?
  5. Uninstall, Activate, Deactivate a plugin: typical features & how-to
  6. Best way to initiate a class in a WP plugin?
  7. How do you debug plugins?
  8. How to structure a plugin
  9. What’s the preferred method of writing AJAX-enabled plugins?
  10. Add multiple plugin directories
  11. What are the differences between WPINC and ABSPATH?
  12. How to add a shortcode button to the TinyMCE editor?
  13. Where do I put the code snippets I found here or somewhere else on the web?
  14. What Plugins Demonstrate Great WP Plugin Development? [closed]
  15. is_plugin_active function doesn’t exist
  16. Delete WordPress plugin Repository
  17. Custom pages with plugin
  18. How to change a user’s password programatically
  19. Who are the most trusted plugin developers? [closed]
  20. How can I find plugins’ slug?
  21. List all sidebar names?
  22. What are the common security flaws I need to look for? [closed]
  23. Get plugin_dir_url() from one level deep within plugin
  24. Pass PHP variable to javascript
  25. Where is the best place to use add_filter
  26. Can a developer adopt a plugin marked as “not updated in over 2 years”?
  27. Conditionally enqueue a widget’s script/stylesheet in HEAD (only when present on page!)
  28. How to implement WordPress plugin update that modifies the database?
  29. What is difference between get_bloginfo(‘url’) and get_site_url()?
  30. Custom media upload content for inserting custom post shortcode
  31. Stop a plugin in the activation process when a certain WP version is not met then show error message in admin_notices action hook
  32. How to Add a Third Level Sub Menu to the WordPress Admin Menu
  33. How to Add an Index to Plugin Database table
  34. Does the number of downloads displayed for a plug-in in the WordPress.org plug-in directory include automatic updates?
  35. how to create child WordPress plugin
  36. Redesigning Custom Post Type “Add New” page
  37. How to safely sanitize a textarea which takes full HTML input
  38. How to Remove Certain Screen Options and Meta Boxes from add/edit post type?
  39. Making my plugin multi-site compatible
  40. Why activate_plugin is not working in register_activation_hook
  41. Get plugin directory from a theme
  42. dealing with large HTML output via plugin code
  43. Best Practice for Referencing the Plugin Directory
  44. Getting Path To Uploaded Attachment Image After Upload
  45. Update plugin from personal API
  46. Giving Multiple Authors Access to a Plugin’s WP.org Repo
  47. Plugin upgrading: Widget settings
  48. Create a table in custom plugin on the activating it?
  49. How to call a plugin function from index.php
  50. dbDelta only creates the last table
  51. How would you require and automatically download dependent plugins?
  52. Update my custom WordPress Plugin through my own server [duplicate]
  53. Do plugin files have to follow a specific convention to be “picked up” by WordPress?
  54. Loading external page template and enqueue script from plugin causes 403 forbidden error
  55. How can I make it so the Add New Post page has Visibility set to Private by default?
  56. My custom made plugin has “a new version available” which links to unrelated plugin
  57. wp.media update options and force render on uploader
  58. WordPress Plugin Development In MVC Architecture, How?
  59. Creating two database tables via plugin
  60. Is it a good idea to edit an already existing plugin to add more functionality?
  61. How to stop showing admin notice after close button has been clicked
  62. Custom Filter in WordPress to modify footer information via plugin?
  63. Checking if an attribute exists in a shortcode
  64. How to create a WordPress plugin for another wordpress plugin?
  65. Does a plugin’s “main” file need to be named the same as the folder containing it?
  66. Query Posts by Custom Field ‘Price’
  67. Rewriting every url
  68. Is There a WordPress Hook to Filter the Edit Posts View?
  69. Symlinked plugin directory doesn’t appear in Admin
  70. Add section (add_settings_section) to a custom page (add_submenu_page)
  71. Where the Nickname is being used in WordPress
  72. Where can I find a schema of wordpress plugin core architecture?
  73. Creating a WordPress admin page without a menu for a plugin
  74. How to delete custom taxonomy terms in plugin’s uninstall.php?
  75. Problems with autoloading classes via sp_autoload_register / maybe interfering WP-specific autoloader
  76. Redirect to settings page after install
  77. How does WordPress handle MySQL row lock errors?
  78. Advice on naming files for a plugin
  79. How to remove duplicate sub-menu name for top level menu items in a plugin?
  80. WordPress plugin from own server
  81. How to avoid plugin name conflicts from the upgrade notifier?
  82. WordPress Plugin Development from Scratch. How? [closed]
  83. Page Templates from plugin not working after upgrading WP to 4.7 or upper version
  84. Creating a user’s own folder on user registration
  85. When can you get current page ID and initialize hooks right after?
  86. Namespaces in WordPress – How do I initiate the main class?
  87. Show Similar Post Titles ( Similar to Stack Exchange )
  88. How to add option box in “Edit Post” plugin API?
  89. Customize plugin update “new version is available” text
  90. Add rewrite rule to permalink structure
  91. Notify Admins about Plugin Merge
  92. How do I unlock a post programmatically?
  93. Customizing subject in comment notification e-mails
  94. category_name not working (not showing up in sql query debug)
  95. How to save the values of checkbox to the register setting?
  96. enqueue script only if it is not already enqueue
  97. Is there any record of installed plugins in the database?
  98. Why do I get this “plugin does not have a valid header” error?
  99. Using require_once in a Plugin?
  100. How can I make my custom shortcode work in a Custom HTML Widget?

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)