What characters must be escaped in XML documents, or where could I find such a list? 10 s 10 If you use an appropriate class or library, they will do the escaping for you. Many XML issues are caused by string concatenation. XML escape characters There are only five: ” " ‘ ' < < … Read more
I have a Theme Options page where the user can add certain options like Facebook links, etc. One of the options is for some ad code and when saving it as an option it gets escaped over and over again. What’s the best approach for saving code inserted in an admin page <textarea> using update_option( … Read more
I’ve been reviewing a lot of information about WP theme and plugin security and understand the concept that you should escape attributes and HTML values in themes and plugins. I’ve seen bloginfo() and echo get_bloginfo() used both standard and inside an esc_html() or esc_attr() function. Genesis and _s, Automattic’s base theme both escape these values … Read more
When doing a template such as single.php and you have php wrapped in html, is it best to : Start + Stop PHP? for example <h1 class=”post-tilte”><?php the_title(); ?></h1> <p class=”post-content”><?php the_content();?></p> Or Echo HTML and Escape PHP? For example – <?php echo ‘<h1 class=”post-title”>’ . get_the_title() . ‘</h1> <p class=”post-content”‘ . get_the_content() . ‘</p> … Read more
I’m confused about the different uses of esc_html() and wp_kses(). I understand that esc_html() converts special characters to their HTML entity, and that wp_kses() removes unwanted tags (e.g., <script>), but I’m not sure in what contexts they should be used together or separately. If I run some untrusted HTML through esc_html(), then any JavaScript will … Read more
I had look at the code but I couldnt see any escaping on funcions like the_title the_content the_excerptetc. I might not be reading it right. Do I need to escape these functions in theme development like: esc_html ( the_title () ) Edit: as pointed out in the answers below the above code is wrong regardless … Read more
I’m trying to replace each , in the current file by a new line: :%s/,/\n/g But it inserts what looks like a ^@ instead of an actual newline. The file is not in DOS mode or anything. What should I do? If you are curious, like me, check the question Why is \r a newline … Read more
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I’ve done some research and found escaping functions. What’s the difference between them? When should I use esc_html() and when esc_attr()? And when should I use these functions with _e() at the … Read more
What are all the escape characters?
The character ‘\’ is a special character and needs to be escaped when used as part of a String, e.g., “\”. Here is an example of a string comparison using the ‘\’ character: if (invName.substring(j,k).equals(“\\”)) {…} You can also perform direct character comparisons using logic similar to the following: if (invName.charAt(j) == ‘\\’) {…}
