When outputting data prior to rendering it, what is best practice in terms of when to use esc_html()? For example, what if my PHP template contains the following code:
Would I need to wrap $title in esc_html()? If the answer is ‘no,’ can you give me an example of when I would need to wrap $title in esc_html()? Assume there is no user input on the page in-question.
This Codex page seems to say ‘yes,’ a variable should be escaped with esc_html()anytime it is enclosed in an HTML element. But this page seems to indicate ‘no’, a variable should be escaped with esc_html() only if there is a chance the variable could text that could be interpreted as harmful/unexpected HTML (i.e. a dynamic variable, or user inputted variable).
Previous Stack Exchange Questions
I’ve seen the following Stack Exchange questions, which give some insight. But none have an accepted answer, so I was hoping to get one here. The replies in these questions indicate that the answer to my question is ‘no,’ esc_attr() is not needed in my particular case.
Question 1 – The reply here simply says one doesn’t need to esc_html() on hard coded URLs.
Question 2 – The reply here indicates I need to esc_html(), “…anytime you are not 100% sure that what you want to output is a valid HTML for that context.”
Question 3 – This says, “don’t bother to escape static strings, it’s pointless.”
1 1
While this is probably a duplicate of What’s the difference between esc_html, esc_attr, esc_html_e, and so on? I’m going to go ahead and provide an answer anyway, since as @cag8f indicated, there’s not an accepted answer on that question (but I’ll add that I think Tom’s answer there tells you what you need to know).
You need to escape output when there’s a possibility that the output might be changed somewhere or may have some “untrusted” value.
you do not need to escape this. “Contact” is already set and is a safe value and is not changed. In fact, as written, you are wasting space (and readability) and it really should be just hard HTML.
Now, if you do something to $title, that changes things. You would need to escape the output in that case because you don’t know what the value might be.
This needs to be escaped because you don’t actually know what the value is, and thus you don’t know if it is safe to output. That’s where it needs to be escaped.
It is important to also know the following:
Learn which escape functions do which tasks. Using one that isn’t appropriate for the data could result in not fully escaping the value, or breaking it in some other way. There are escape functions for different data types, so use the correct one.
Know if the data needs to be escaped. If you’re using a WP function that already escapes the data, then you’re double escaping it and that can result in bad output. If you’re not sure, look up the function and review the source.
