I want security for my theme, so I took all different commands from my theme files. If I need to escape these, how can I do it? :
<?php get_header(); ?>
<h1><?php _e( 'Page not found', 'html5blank' ); ?></h1>
<a href="<?php echo home_url(); ?>">
<?php
if ( $thumbnail_id = get_post_thumbnail_id() ) {
if ( $image_src = wp_get_attachment_image_src( $thumbnail_id, 'normal-bg' ) )
printf( ' style="background-image: url(%s);"', $image_src[0] );
}
?>>
<?php
// Set the Current Author Variable $curauth
$curauth = (isset($_GET['author_name'])) ? get_user_by('slug', $author_name) : get_userdata(intval($author));
?>
<?php echo get_avatar( get_the_author_email(), '20' ); ?>
<?php
function your_prefix_render_hfe_footer() {
if ( function_exists( 'hfe_render_footer' ) ) {
hfe_render_footer();
}
}
add_action( 'astra_footer', 'your_prefix_render_hfe_header' ); ?>
<?php footer_shortcode_elementor() ?>
-----------------------------
in function.php:
add_filter('comment_form_fields', 'wpb_move_comment_field_to_bottom');
if ( ! function_exists( 'WPScripts_enqueue' ) ) {
-----------------------------
<?php
global $post;
$tags = get_the_tags($post->ID);
if (is_array($tags) || is_object($tags)) {
foreach($tags as $tag)
{
echo '<a href="' . get_tag_link($tag->term_id) . '"><span class="badge badge-dark">' . $tag->name . '</span></a> ';
}
}
?>
<?php if (have_posts()): while (have_posts()) : the_post(); ?>
Thank you
I want security for my theme, so I took all different commands from my theme files. If I need to escape these, how can I do it? :
<?php get_header(); ?>
<h1><?php _e( 'Page not found', 'html5blank' ); ?></h1>
<a href="<?php echo home_url(); ?>">
<?php
if ( $thumbnail_id = get_post_thumbnail_id() ) {
if ( $image_src = wp_get_attachment_image_src( $thumbnail_id, 'normal-bg' ) )
printf( ' style="background-image: url(%s);"', $image_src[0] );
}
?>>
<?php
// Set the Current Author Variable $curauth
$curauth = (isset($_GET['author_name'])) ? get_user_by('slug', $author_name) : get_userdata(intval($author));
?>
<?php echo get_avatar( get_the_author_email(), '20' ); ?>
<?php
function your_prefix_render_hfe_footer() {
if ( function_exists( 'hfe_render_footer' ) ) {
hfe_render_footer();
}
}
add_action( 'astra_footer', 'your_prefix_render_hfe_header' ); ?>
<?php footer_shortcode_elementor() ?>
-----------------------------
in function.php:
add_filter('comment_form_fields', 'wpb_move_comment_field_to_bottom');
if ( ! function_exists( 'WPScripts_enqueue' ) ) {
-----------------------------
<?php
global $post;
$tags = get_the_tags($post->ID);
if (is_array($tags) || is_object($tags)) {
foreach($tags as $tag)
{
echo '<a href="' . get_tag_link($tag->term_id) . '"><span class="badge badge-dark">' . $tag->name . '</span></a> ';
}
}
?>
<?php if (have_posts()): while (have_posts()) : the_post(); ?>
Thank you
Share Improve this question asked Mar 12, 2020 at 21:47 ahmet kayaahmet kaya 331 silver badge9 bronze badges 1- Can you be more specific about what you're asking? I don't see a way to answer this question at the moment that doesn't involve just doing the escaping for you, which wouldn't teach much. Share some information about what it is that you're unsure of so that it becomes clearer what an answer might look like – Tom J Nowell ♦ Commented Mar 13, 2020 at 1:02
2 Answers
Reset to default 1Here's just a few examples of what escaping looks like:
Escaping URLS:
<?php echo esc_url( home_url() ); ?>
Escaping Content
<?php echo esc_html( get_the_title() ); ?>
Escaping Attributes
<?php echo esc_attr( $my_class ); ?>
Escaping Content but keep HTML
<?php echo wp_kses_post( get_the_content() ); ?>
Escaping Emails
<?php echo sanitize_email( $email_address ) ); ?>
For more information about escaping, here's a good resource on data sanitization.
Again, can't comment yet but I think this is what you're looking for:
How to properly validate data from $_GET or $_REQUEST using WordPress functions?
If your $_GET and $_POST are not trusted, you should always sanitize them. If you update or insert into the $wpdb, always use prepare.