First and foremost I do know that escaping is good practice to do and should always be done when taking input from an external source - but - I'm wondering how necessary it is to use the WordPress escape functions when you're working on a site that only has trusted admin accounts managing the data?
For example if you're using ACF to create custom fields only admins have access to and have written functions to grab that data should that always be escaped using something like esc_html() or esc_attr()?
Seems obvious but I ask because WordPress vaguely suggests that "most" WordPress functions don't require escaping:
/
I tend to run paranoid so I would prefer to escape often and not assume anything, but that makes me wonder if running something like esc_html() over something WordPress already might have escaped causing "double escaping" could create issues - or - at the very least have a performance hit.
First and foremost I do know that escaping is good practice to do and should always be done when taking input from an external source - but - I'm wondering how necessary it is to use the WordPress escape functions when you're working on a site that only has trusted admin accounts managing the data?
For example if you're using ACF to create custom fields only admins have access to and have written functions to grab that data should that always be escaped using something like esc_html() or esc_attr()?
Seems obvious but I ask because WordPress vaguely suggests that "most" WordPress functions don't require escaping:
https://developer.wordpress/apis/security/escaping/
I tend to run paranoid so I would prefer to escape often and not assume anything, but that makes me wonder if running something like esc_html() over something WordPress already might have escaped causing "double escaping" could create issues - or - at the very least have a performance hit.
Share Improve this question asked Feb 15 at 21:05 fyrekcazfyrekcaz 133 bronze badges 1- The WordPress page you linked mentions that "most WordPress functions properly prepare the data for output, and additional escaping is not needed", hence additional escaping is typically not necessary when using those functions. However, it's a good idea to check the documentation beforehand to confirm whether a function escapes its output. And being managed only by trusted admins, doesn't mean the data doesn't need escaping, because issues like human errors can happen! – Sally CJ Commented Feb 17 at 4:05
1 Answer
Reset to default 1that wordpress page was probably written by someone that do not get security.
Escaping is done to make sure that your output, when is part of an HTML page, is displayed to the user as you intend it to be which means converting thing like "<" to the appropriate HTML entity.
Yes, if you do not escape a bad actor that can insert content to site's pages can trick the pages to display information you would not like to be displayed, but the root cause usually is that you do not escape your output to make sure it will display only the string as should have been displayed.
Escaping is context based and you should not apply html related escaping to email which contain simple text, so not realy sure what is that claim about wordpress apis always escaping.
double escaping is not needed but usually not something to worry about as the additional CPU power required is probably close to 0.