When are definitely needed or for a good practice to use escaping functions?
Such as using esc_url();
with:
get_template_directory_uri();
get_permalink();
get_author_posts_url();
get_edit_post_link();
wp_get_attachment_url();
And esc_html();
with:
get_the_title();
get_the_author();
get_the_date();
get_search_query();
Also I think esc_html();
and esc_attr();
are very similar, aren't they? What are the differences?
According to the documentation - Validating, Sanitizing, and Escaping by WP VIP team.
Guiding Principles
“Escaping isn’t only about protecting from bad guys. It’s just making our software durable. Against random bad input, against malicious input, or against bad weather.” –nb
According to the article - Introduction to WordPress Front End Security: Escaping the Things by Andy Adams from CSS-Tricks.
Function:
esc_html
Used for: Output that should have absolutely no HTML in the output.
What it does: Converts HTML special characters (such as <
, >
, &
) into their "escaped" entity (<
, >
, &
).
Function:
esc_attr
Used for: Output being used in the context of an HTML attribute (think "title", "data-" fields, "alt" text).
What it does: The exact same thing as esc_html
. The only difference is that different WordPress filters are applied to each function.