Why would you use esc_attr() on internal functions?

  1. You probably wouldn’t. If you did it would be to make sure it was in place already if in future you decided to make the variable dynamic or filterable.
  2. In this case I would suggest it for similar reasons to #1. You may know where $class is coming from now, but this may change in future, and it prepares the function for potential use in different contexts where $class may not be controlled.
  3. You need to escape here because you know for certain that your code has no control over what the value of $class may be, and you should make sure that your code does not break if an improper value is passed. This is not solely a security concern. As you will learn from following questions on this site, many developers who use filters do not necessarily know what they are doing. They may write code that takes a dynamic value and adds it as a class using your filter. Most of the time this might be fine, but what if they are automatically pulling something in like a post title? Eventually there may be a post title with a " character, and this will break the markup of their site if you do not escape the values from that filter. An experienced developer would know what the problem is and escape it themselves, but not all developers who might use your filter are quite as experienced.

Related Posts:

  1. Escaping built-in WP function return strings
  2. What is the difference between esc_html and wp_filter_nohtml_kses?
  3. What is the difference between strip_tags and wp_filter_nohtml_kses?
  4. WordPress security issue to output data from user input from theme option form
  5. Securing/Escaping Output of file content – reading via fread() in PHP
  6. wp_nonce_field displaying twice
  7. Is it necessary to do validation again when retrieving data from database?
  8. Using HTML links within translatable string
  9. Using password protection to load different page elements?
  10. esc_url, esc_url_raw or sanitize_url?
  11. ajaxurl not defined on front end
  12. How to store username and password to API in wordpress option DB?
  13. How can I configure Docker for developing and deploying a custom theme?
  14. Where to store PHP files created by plugin / themes
  15. Nonces can be reused multiple times? Bug / Security issue?
  16. How to post data to same page in wordpress
  17. Understanding WordPress functions’ naming conventions
  18. Is there widely accepted phpDoc syntax for documenting which hook calls a function?
  19. Log in from one wordpress website to another wordpress website
  20. How do I Make a Theme “plugin-ready”?
  21. How to Add a .js file Only in one specific Page Dynamically to Head
  22. Show a user their recently viewed posts
  23. How to use filter hook ‘post_updated_messages’ in coherence with action hook ‘save_post’
  24. Add new user and add meta at once
  25. Custom user profile, registration, login page with theme
  26. Should I use RIPS tool to test my themes and plugins?
  27. How to Display Custom Post Type’s Gallery (images ) in Through WP_Query
  28. What is better way to use Bootstrap inside admin panel?
  29. What’s the better way to add an inline script?
  30. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  31. Backslashes being stripped from CSS
  32. What for the tables ending with the meta used in database of wordpress?
  33. Finding the paragraphs in content
  34. Is Dreamweaver CS5 a serious choice for theme/plugin development?
  35. What allows a template file from plugin to be copied in child theme and overridden?
  36. How to avoid loading same script twice?
  37. Is there any way to check for user login and send him to login?
  38. Can I individually style items in the backend widget list?
  39. Finding posts containing matching array elements in a meta field usign WP_Query
  40. Customizer: widget-synced triggers twice
  41. How to Create Custom HTML Tag on Editor in `Text(HTML)` mode
  42. Beginner advice
  43. Change the ‘published on’ text?
  44. How to filter users list on user_status field with get_users()
  45. Can Page Templates be Applied to Archive and Post Templates?
  46. Secure Pages Best Practice
  47. Is there some way to provide the user a list of existing content in a CPT
  48. Change the look and feel of admin pages
  49. How to access noticeOperations from withNotices
  50. How to get boolean value from register_meta properly?
  51. What is the proper method of using global $post?
  52. How to export post meta with images in wordpress
  53. Password field is empty when using wp_signon();
  54. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  55. How to change title tag at page after loaded post?
  56. What is the safe way to print tracking code / pixel code before tag or tag
  57. Strange Situation When Try To Retrieve Github Gist Using wp_remote_get
  58. WordPress custom taxonomy check box to dropdown
  59. mysql_real_escape_string() vs. esc_sql() in WordPress
  60. Widget HTML Display Problem
  61. Is disabling test_form in wp_handle_upload a security concern?
  62. How to connect my wordpress plugin to a remote database securely?
  63. How to create a backend for a custom theme?
  64. WP Plugin Running before jQuery
  65. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  66. add_submenu_page hooked function must explicitly check user capabilities – why?
  67. How to escape multiple attribute at once in WordPress?
  68. my own SVN for a plugin/theme
  69. Why enqueue styles on hook?
  70. Getting a WordPress Debug Strategy
  71. Conditional Generation of Image Sizes using add_image_size
  72. WP Still Generating 150×150 Thumbnail Size Even After Un-Setting Small Size in Functions.php
  73. Does WordPress default CSS have Grids?
  74. How to resize WordPress images on upload to specific height and width without cropping it
  75. How can I save a password securely as a settings field
  76. rewrite_rules problem
  77. Why does website stretch and white space on load? [duplicate]
  78. How to correctly escape an echo
  79. Pass custom props to
  80. Include external po file for 3th party plugin to theme
  81. How to make premium plugin? I want to limit it until verification
  82. How to hide/remvoe unnecessary field/section in post edit section ( Dashboard )
  83. Scripts/styles not loading on cloned WP Site when logged in
  84. redirect_to how to make it simply work with get parameter or similar?
  85. Determine if the current page, is being edited
  86. Is it possible to modify an Elated plugin portfolio-list template in such a way that it will not conflict with future plugin updates?
  87. Woocommerce Custom Checkout
  88. Looping single post in a theme
  89. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  90. WordPress permalink setting
  91. Custom theme and plugin updating
  92. Adding class to the parent of current-post-ancestor / current-menu-parent / current-post-parent
  93. problem with blank page
  94. grouping my widgets wordpress
  95. Create and style menu
  96. If I want to create new taxonomies (e.g. Project / Documents / Etc…) is it better to create them in the theme’s functions.php or within a plugin? [duplicate]
  97. How to add something after a function
  98. how many rupee or dollar charge to client to make theme [closed]
  99. How to get the value entered in the input field in wordpres
  100. Why isn’t custom sidebar panel not showing up in the Gutenberg Editor?