Skip to main content

Questions tagged [escaping]

The tag has no usage guidance.

Filter by
Sorted by
Tagged with
0 votes
1 answer

how to escape alert/window.location.replace with variable

I'm trying to write my first WordPress plugin and despite reading the documentation about escaping and reviewing other people's questions and answers I'm still not clear on how to do it in 2 cases the ...
Eitan's user avatar
  • 3
0 votes
1 answer

Escaping inline JS correctly

function test_dashboard_content() { $args = array( 'posts_per_page' => -1, 'post_type' => array( 'post', 'page' ), 'post_status' => 'publish', 'date_query' => array( 'after' => '1 ...
WPdummy's user avatar
  • 23
1 vote
0 answers

esc_html don't work on variable but do work on pasted text

My posts have Custom Fields, one of which includes code snippets. I tried esc_html() to present them on the site. this is what I do: $code = get_post_meta(get_the_id(),'code_snippet')[0]; $code_html = ...
pend's user avatar
  • 11
1 vote
2 answers

Correct way of using esc_attr() and esc_html()

1. esc_attr() Based on the official documentation, this is correct: echo '<div id="', esc_attr( $prefix . '-box' . $id ), '">'; This is incorrect: echo '<div id="', esc_attr( $...
JShinigami's user avatar
0 votes
1 answer

How should esc_url be combined with trailingslashit?

Generally, I escape URLs when outputting content with esc_url like so esc_url( get_home_url() ). If I'd like to adding a trailing slash e.g. /, I'm combining it with esc_url by prepending. An example, ...
Ryan's user avatar
  • 63
0 votes
1 answer

how to sanitizing $_POST with the correct way?

I am trying to sanitize and validate and escape this code? $positions = $_POST['positions']; foreach ($positions as $key => $position) { $id = sanitize_text_field($position[0]); ...
crazybuilding's user avatar
1 vote
1 answer

esc_url, esc_url_raw or sanitize_url?

I know there's already this post here but its answers still leave me in the dark about these three methods. I'm a little confused by the selection of one of the methods mentioned in the title, if I ...
DevelJoe's user avatar
  • 497
0 votes
0 answers

Escaping admin_url output being passed to js (esc_js vs esc_url)

I am now hardening my first WP plugin. One of my buttons calls a js function which is making a POST against admin-ajax.php. The non-hardened code contains the following: onclick = 'kuba_postMyStuff(&...
Kuba D's user avatar
  • 1
1 vote
1 answer

Escaping get_option( 'time_format' ) is nesserary?

I've submitted a plugin for review and it was not accepted as it needs some fixes with data sanitization and escaping. One of the flagged examples was this line: echo'<td>'.$date .' '.$time.'<...
slanginbits's user avatar
2 votes
1 answer

Using `esc_attr( get_block_wrapper_attributes() )`, results in `class=""wp-block-foo""`

So, phpcs is telling me I need to escape the get_block_wrapper_attributes(); function. I thought it would be a simple as esc_attr( get_block_wrapper_attributes() );, but it would appear not to be the ...
Lewis's user avatar
  • 408
0 votes
1 answer

Should I escape the html for the settings field created with add_settings_field?

I am using a class that handles the output of WP settings fields. This class uses the function "add_settings_field" which receives as a "callback" parameter the name of the function that prints the ...
Giulia Rabita - Metup's user avatar
1 vote
1 answer

How to safely escape data that contains HTML attributes

I am not looking for esc_attr(), which escapes data to be used within attributes. I am looking for a function that outputs one or more HTML attributes within an HTML tag. For example: <div <?php ...
Álvaro Franz's user avatar
1 vote
1 answer

Escape when echoed

I've been trying to submit a plugin for review and I keep having problems with the echo line. The last version I sent was like this. <option value=""> <?php _e( '- Default', ...
choseɳ's user avatar
  • 17
0 votes
1 answer

How to correctly escape an echo

In WordPress they recommend that I should escape any part of the code of my plugin that shows data to the user, I have made most of the corrections but this specific case I don't know how to escape ...
choseɳ's user avatar
  • 17
0 votes
1 answer

should I escape a literal url added in functions.php

I added a snippet to my functions.php file to add credit card icons in the woocommerce checkout page. The icons are in my media library so I added the url of the image. This is not an input and it ...
JEmmerich's user avatar
1 vote
1 answer

How to be escape Variables and options when echo?

I am very new to wordpress development. When I submitted my plugin for review it was rejected because "Variables and options must be escaped when echo'd". How do i escape the following 2 ...
Daksh Angaraj's user avatar
0 votes
2 answers

Why would you use esc_attr() on internal functions?

I see a lot of these in premium themes/plugins. #1 - Why would you escape this? It's your own data. For consistency? function prefix_a() { $class_attr = 'a b c'; // Some more code. ...
user557108's user avatar
1 vote
0 answers

Securing/Escaping Output of file content - reading via fread() in PHP

I am working on securing the content read from a file via the fread() function. private function readfile_chunked($file) { $chunksize = 1024 * 1024; // Open Resume $handle = @fopen($file, ...
sehrish's user avatar
  • 11
0 votes
1 answer

Is there any solution, ide/tool etc., for automatic escaping for WordPress?

Is there any tool/ide etc. to escape WordPress theme/plugin files automatically? How can I do it with PhpStorm?
attack-to-overflow's user avatar
0 votes
1 answer

Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?

Why, in the register_nav_menus() functions (from Twenty Twenty One functions.php), do we find esc_html__() on the primary menu but not on secondary menu, like below : register_nav_menus( ...
PhpDoe's user avatar
  • 299
0 votes
1 answer

Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?

esc_url, esc_attr & esc_html are used to escape content that is untrusted so that potentially malicious code isn't executed. Can wp_strip_all_tags be used as an alternative? If not, why?
Ryan's user avatar
  • 63
0 votes
1 answer

echo cutom css code to Wordpress page template file ? is this safe?

I created wordpress page template and i want to add this css code only in to inside of this template only.for the security concern should i escape?. can anyone help me to solve this?. here is the ...
Gayal cham's user avatar
1 vote
1 answer

Should you escape hardcoded URLs?

I'm writing a very simple social share plugin for a client. I'm using these two functions to display the share buttons at the bottom of each post: <?php /** * Social buttons */ function ...
Sam's user avatar
  • 2,166
2 votes
1 answer

Sanitizing comments or escaping comment_text()

I'm creating a template for comments on my WordPress site. I noticed that a simple <script>alert(1);</script> slips through the default WP codex implementation of comments, using the ...
p01ntbr34k's user avatar
1 vote
1 answer

Sanitizing, Validating and Escaping in WordPress (Plugin)

I am currently developing my first WordPress plugin. A few days ago I submitted it to WordPress for review. Unfortunately, the plugin was not (yet) published, because I still have to close some ...
Jonas's user avatar
  • 159
2 votes
1 answer

How to properly escape a translated string?

I'm having trouble understanding how to escape a translated string with WordPress... The following piece of code is from the Wordpress codex : function wpdocs_kantbtrue_init() { $args = array( ...
user190323's user avatar
0 votes
1 answer

file_get_contents | escaping doesnt show the page

I have below code.echo $FileContents;shows the page which comes the php variable correctly, but the escape function which is <?php esc_html( $FileContents ); ?>didnt show anything. How can I ...
Javascript Asking Account's user avatar
0 votes
1 answer

Escaping crashes my output

When I add wordpress escaping code like esc_attr_e to below variable, it writes text instead of html code to my browser: <?php echo esc_attr_e( $redux_demo['editor-text-header-left'], 'hekim' );...
Faruk rıza's user avatar
0 votes
0 answers

how to unescape wordpress output

I am having to hook into a plugin and I need to actually output a value I get via jQuery. However, when I try to return it (I have to use return) it just escapes the javascript instead of actually ...
Iggy's Pop's user avatar
-1 votes
1 answer

Escaping Issues

I have some questions about escaping.These examples are the things which I couldnt do the true. Must I escape variables, if it is, how can I do it? For example: global $redux_demo; in this code: ...
Faruk rıza's user avatar
2 votes
1 answer

Which escape function to use when escaping an email or plain text?

I have submitted a plugin to the WordPress repo, they have come back and said I need to escape the values in my email sending code NOT sanitize. So I'm confused what function they want me to use. Can ...
sazr's user avatar
  • 357
0 votes
2 answers

Help about Escaping

I want security for my theme, so I took all different commands from my theme files. If I need to escape these, how can I do it? : <?php get_header(); ?> <h1><?php _e( 'Page not found',...
ahmet kaya's user avatar
0 votes
0 answers

Remove pre and code tags from WordPress

WordPress has added both <pre> and <code> tags to my PHP embedded in a post. Here's an example <pre><code>register_taxonomy( 'Books', 'post', array( 'label' =&gt; __(...
Brad Dalton's user avatar
  • 6,967
3 votes
1 answer

Is it safe and good practice to use do_shortcode to escape?

We're using Advanced Custom Fields in our company and sometimes we need to use shortcode in our custom fields. In the php code we then use the do_shortcode functions for these fields. There is no ...
maysi's user avatar
  • 143
1 vote
2 answers

Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?

My gut tells me wrapping esc_attr() in intval() is redundant when it comes to escaping input, but I would like to double-check. Also: considering that <option value="">- select no. -</option&...
gardinermichael's user avatar
0 votes
2 answers

How to allow single quote with esc_html__() without sprintf()

Because of security reasons we are of course required to use esc_html__() for WP development. This is annoying because if you'd want to pass a single quote into your strings, you'd have to use sprintf(...
Rens Tillmann's user avatar
0 votes
1 answer

Do I need to escape get_theme_mod('url') / ('mail') with esc_url?

Question is in the title, thanks in advance (:
Arttyor's user avatar
  • 51
0 votes
1 answer

How to escape html generate by a loop

I have the following code which is flagging a warning that I've been asked to fix by my theme reviewer. WARNING All output should be run through an escaping function (see the Security sections in the ...
Steven Gardner's user avatar
0 votes
1 answer

How to keep specific tag from an html string?

Hello I try to keep only specific tag from an html string. For example: $allowed_tag=array('a'); $content = '<a href="#">link</a> <b>strong text</b>'; $content = ...
ZecKa's user avatar
  • 768
3 votes
1 answer

When outputting a static string to the page, is it necessary to escape the output?

In my code I'm using the _e() function to echo static text onto the page: _e( 'Plugin name not found.', 'opn_td' ); Is this safe, or do I need to escape this output? As I understand (from ...
cag8f's user avatar
  • 1,997
0 votes
0 answers

How to use wp_filter_oembed_result?

I have a video iframe it's can be youtube , vimeo etc $iframe = get_field($field, $id); if(empty($iframe)){ return; } preg_match('/...
user avatar
0 votes
1 answer

How to allow &nbsp with wp_kses()?

I have an html containing &nbsp but I am unable to pass it through wp_kses(). I have tried adding allowed html array('&nbsp' => array(),) but does not seems to work. I there a way or I ...
user avatar
1 vote
1 answer

Why should I escape translatable strings? and how shall i do that?

Is it really need to escape translatable strings?
user avatar
7 votes
1 answer

When do I need to use esc_html()? [duplicate]

When outputting data prior to rendering it, what is best practice in terms of when to use esc_html()? For example, what if my PHP template contains the following code: <?php $title = "Contact"; ?&...
cag8f's user avatar
  • 1,997
1 vote
2 answers

How to safely escape the title attribute

I'm going through some training on internationalization and escaping data. But I feel stuck with escaping the title attribute. I have the following code in a helper function... echo '<h2 ...
klewis's user avatar
  • 899
5 votes
4 answers

Should messages in WP_Error already be html escaped?

This isn't about what html escaping is or how it's done, but if there's an established best practice about when to do it. I have some utility code in my plugin that may generate a WP_Error based on ...
Jason Viers's user avatar
23 votes
2 answers

What’s the difference between esc_html, esc_attr, esc_html_e, and so on?

I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions. What’s the difference between ...
baldrick's user avatar
  • 241
0 votes
1 answer

How to safely return the HTML?

I have return '<button type="button" class="btn btn-success">Open Now</button>'; If I echo this it will work fine. I am getting an warning like echo is used without escaping. I know ...
user avatar
2 votes
1 answer

meta_query works locally but not on live server

I'm filtering posts by author's last name initials. On my local server, the query runs beautifully, but when I push live, it doesn't. It doesn't find anything. Does it have anything to do with the way ...
Gabriel H.'s user avatar
10 votes
1 answer

Sanitize and data validation with apply_filters() function

Should we sanitize and validate the apply_filters() like the examples below? absint( apply_filters( 'slug_excerpt_length', 35 ) ); wp_kses_post( apply_filters( 'slug_excerpt_more', '&hellip;' ) );...
Asaf's user avatar
  • 103