I have some questions about escaping.These examples are the things which I couldnt do the true.
Must I escape variables, if it is, how can I do it?
For example: global $redux_demo;
in this code:
if ( class_exists( 'Redux' ) ) {
global $redux_demo;
if ($redux_demo['button-set-single-archive-services'] == 2)
{
get_template_part( 'demo-archive-services' );
die;
Is it true escaping?
<?php esc_html_e( 'Our Services', 'hekim' )?>
Functions start with the, need escaping or not?
For example : <?php the_title(); ?>
If I change these functions with the functions start with get, do they need escaping?
Is there any difference about output with functions start the and functions start get?
Why this escaped function doesnt seem?
After escaped this phare, it doesnt seem.What is my mistake in escaping? What is the true form?
<li><?php esc_html( '<a href="#"> HOME </a>' ); ?>xx</li>
I have some questions about escaping.These examples are the things which I couldnt do the true.
Must I escape variables, if it is, how can I do it?
For example: global $redux_demo;
in this code:
if ( class_exists( 'Redux' ) ) {
global $redux_demo;
if ($redux_demo['button-set-single-archive-services'] == 2)
{
get_template_part( 'demo-archive-services' );
die;
Is it true escaping?
<?php esc_html_e( 'Our Services', 'hekim' )?>
Functions start with the, need escaping or not?
For example : <?php the_title(); ?>
If I change these functions with the functions start with get, do they need escaping?
Is there any difference about output with functions start the and functions start get?
Why this escaped function doesnt seem?
After escaped this phare, it doesnt seem.What is my mistake in escaping? What is the true form?
<li><?php esc_html( '<a href="#"> HOME </a>' ); ?>xx</li>
1 Answer
Reset to default 0The point of escaping is to make sure that when a value is output, it cannot output anything malicious, or that would just break the markup of the page. For example, when outputting a variable, you will want to escape certain characters so that the value can't unintentionally open or close HTML tags, which could break the layout of your page, or even output a <script></script> element that could run malicious JavaScript.
WordPress VIP's documentation has a great overview of the concept, with examples: https://wpvip/documentation/vip-go/validating-sanitizing-and-escaping/
Regarding your specific examples:
Must I escape variables, if it is, how can I do it?
For example:
global $redux_demo;in this code:
if ( class_exists( 'Redux' ) ) { global $redux_demo; if ($redux_demo['button-set-single-archive-services'] == 2) { get_template_part( 'demo-archive-services' ); die;```
No. Not all variables need to escaped. Variables only need to be escaped when output. $redux_demo is not being output, so nothing here needs to be escaped.
Is it true escaping?
<?php esc_html_e( 'Our Services', 'hekim' )?>```
Yes. _e() is a function that allows the 'Our Services' string to be replaced by a translation. This means that you can't trust that the output of this line will always be safe. Therefore it needs to be escaped. esc_html_e() is a function that automatically escapes with esc_html(), after running _e() to allow the text to be translated.
Functions start with the, need escaping or not?
For example :
<?php the_title(); ?>If I change these functions with the functions start with
get, do they need escaping? Is there any difference about output with functions starttheand functions startget?
As a general rule, built in functions that start with the_ don't need to be escaped, but functions starting with get_ do need to be escaped. For example, the_permalink() uses esc_url() to escape get_the_permalink() before outputting it.
Why this escaped function doesnt seem?
After escaped this phare, it doesnt seem.What is my mistake in escaping? What is the true form?
<li><?php esc_html( '<a href="#"> HOME </a>' ); ?>xx</li>
The point of esc_html() is to prevent any HMTL in the value from being interpreted as HTML. There is nothing in this example that needs to be escaped. If the link URL was a variable, that would need to be escaped.