Articles of escaping

Escape html structure in php

I have code like this: <?php echo ‘<div class=”class-name”>’ . __( ‘Text’,’text-domain’ ) . ‘</div>’; ?> in a plugin of mine. Do i have to escape this? (esc_html or similiar)?

Wrapping add_query_arg with esc_url not working

I know about the XSS issue related to add_query_arg()function. That is why I am wrapping it with esc_url(). Problem is…this is not working with wp_remote_get(). If I go: $url = add_query_arg( array( ’email’ => ‘’, ‘token’ => ‘899A762614F6C49809A374FB955EC8C15’), ‘’ ); $response = wp_remote_get( $url ); I am getting a valid body response. But if I […]

Proper way to use esc_html__ and esc_attr__ etc for escaping value for translation

From the articles on Codex, esc_attr_e is proper way to escaping value for translation. But from other articles, I read about sanitizing issue and security issue for some escaping code. For my code, I am using this: <h4><?php esc_attr_e( ‘PREVIOUS ARTICLE’, ‘myweb’ ); ?></h4> Is my code proper for translation? If no, what the code […]

Echoing a URL to a link

I’ve found the esc_url() function and I’m trying to understand what to do with URLs in WordPress, before resorting to my normal PHP tactics. I see that the third parameter is used to set the filter that runs on it, with the default value of ‘display’. This is for display on a webpage. I grepped […]

product description text displays above website when in shop page

Product description text appears above and outside of website. It is seen when in the shop page. When I look at the site from my smart phone, and also while visiting site from the back office.

HTML escaping data with ajax requests

I follow the WP philosophy of late escaping, but I’m not sure when to escape HTML special characters when working with ajax requests. Note, as of my understanding, when setting data to an element with the jQuery .text() method, or using createTextNode()` method, it automatically escapes text content. So this question doesn’t apply to using […]

Something is unescaping all html entities before output to browser

I have a nasty problem. In my wordpress site something unescapes all html entities before sending data to the browser. It happens for all of the following cases: echo “&quot;XSS” print_r( htmlspecialchars( ‘”XSS’ ) ); esc_html( ‘”XSS’ ); // output in all cases is unescaped // im running version 3.4.1 with a bunch of plugins […]

Do we need to escape data that we receive from theme options?

I’m creating a WordPress theme that I’m hoping to sell on Themeforest. Now I know much about escaping user inputted data using functions like esc_html, esc_url and so on and I use them in the comments template and few other places in my theme. What I’m not sure about is whether I’m suppose to use […]

Using esc_attr_e

From what I understand esc_attr_e is ideally used for escaping values in attributes – Is it right that the usage of esc_attr_e can also be worked in with non attribute values, such as the h3 and label elements in the example below? <h3><?php esc_attr_e( ‘Some Text’, ‘my-plugin’ ); ?></h3> <form name=”myplugin_form” method=”post” action=””> <input type=”hidden” […]

Allow HTML in Settings API input field

I want to allow HTML into a plugin input field via a user, I am using the Settings API, but it strips everything HTML out. – Code below -any pointers? function plugin_settings(){ register_Setting( ‘ng_settings_group’, ‘my_settings’, ‘plugin_prefix validate_input’ ); add_settings_section( ‘my_section’, ‘My Settings’, ‘plugin_prefix my_section_callback’, ‘plugin’ ); add_settings_field( ‘ng_menu_html’, ‘HTML Carat’, ‘plugin_prefix ng_html_callback’, ‘plugin’, ‘my_section’ ); […]