Usage of esc_url, esc_html, esc_attr ... functions

wordpress escaping sanitization
10,437

Part 1

According to the documentation - Validating, Sanitizing, and Escaping by WP VIP team.

Guiding Principles

  1. Never trust user input.
  2. Escape as late as possible.
  3. Escape everything from untrusted sources (like databases and users), third-parties (like Twitter), etc.
  4. Never assume anything.
  5. Never trust user input.
  6. Sanitation is okay, but validation/rejection is better.
  7. Never trust user input.

“Escaping isn’t only about protecting from bad guys. It’s just making our software durable. Against random bad input, against malicious input, or against bad weather.” –nb

Part 2

According to the article - Introduction to WordPress Front End Security: Escaping the Things by Andy Adams from CSS-Tricks.

Function: esc_html

Used for: Output that should have absolutely no HTML in the output.

What it does: Converts HTML special characters (such as <, >, &) into their "escaped" entity (&lt;, &gt;, &amp;).

Function: esc_attr

Used for: Output being used in the context of an HTML attribute (think "title", "data-" fields, "alt" text).

What it does: The exact same thing as esc_html. The only difference is that different WordPress filters are applied to each function.

Share:
10,437
Stickers
Author by

Stickers

Updated on July 26, 2022

Comments

  • Stickers
    Stickers almost 2 years

    When are definitely needed or for a good practice to use escaping functions?

    Such as using esc_url(); with:

    get_template_directory_uri();
get_permalink();
get_author_posts_url();
get_edit_post_link();
wp_get_attachment_url();

    And esc_html(); with:

    get_the_title();
get_the_author();
get_the_date();
get_search_query();

    Also I think esc_html(); and esc_attr(); are very similar, aren't they? What are the differences?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?
Flutter: How to call images from API
How to clear/delete cache in NextJs?
How to escape single quote in flutter's localization file?
How should I approach: Wordpress Social Login (web) and Flutter (mobile)
Dart Flutter - fetching WordPress Custom Post Type using Chopper
Login in Flutter using WordPress credentials
In Woocommerce, How to find all products for which a certain product is a cross-sell?
How to align a widget center in a wpbakery row?
How to solve flutter wordpress json api error?