What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
up vote
4
down vote
favorite
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html()
and when esc_attr()
?
And when should I use these functions with _e()
at the end?
functions escaping
New contributor
add a comment |
up vote
4
down vote
favorite
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html()
and when esc_attr()
?
And when should I use these functions with _e()
at the end?
functions escaping
New contributor
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
add a comment |
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html()
and when esc_attr()
?
And when should I use these functions with _e()
at the end?
functions escaping
New contributor
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html()
and when esc_attr()
?
And when should I use these functions with _e()
at the end?
functions escaping
functions escaping
New contributor
New contributor
edited Dec 7 at 19:32
Howdy_McGee♦
13.1k1354123
13.1k1354123
New contributor
asked Dec 7 at 15:59
baldrick
315
315
New contributor
New contributor
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
add a comment |
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
1
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
add a comment |
2 Answers
2
active
oldest
votes
up vote
9
down vote
esc_html()
escapes a string so that it is not parsed as HTML. Characters like <
are converted to <
, for example. This will look the same to the reader, but it means that if the value being output is <script>
then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr()
escapes a string so that it's safe to use in an HTML attribute, like class=""
for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script>
and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url()
escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href=""
or src=""
attribute.
esc_textarea()
escapes a value so that it's safe to use in a <textarea>
element. By escaping a value with this function it prevents a value being output inside a <textarea<
from closing the <textarea>
element and outputting its own HTML.
Use this function when outputting a value inside a <textarea>
element.
esc_html()
and esc_attr()
also have versions ending in __()
, _e()
and _x()
. These are for outputting translatable strings.
WordPress has functions, __()
, _e()
and _x()
, for outputting text that can be translated. __()
returns a translatable string, _e()
echoes a translatable string, and _x()
returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
add a comment |
up vote
3
down vote
esc_html
would be used inside of html for example between a <p>
tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr
would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e
to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e
there is also __
which does the same as _e
but doesnt echo it so you can store it in a variable.
New contributor
2
_e
is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "110"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
esc_html()
escapes a string so that it is not parsed as HTML. Characters like <
are converted to <
, for example. This will look the same to the reader, but it means that if the value being output is <script>
then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr()
escapes a string so that it's safe to use in an HTML attribute, like class=""
for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script>
and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url()
escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href=""
or src=""
attribute.
esc_textarea()
escapes a value so that it's safe to use in a <textarea>
element. By escaping a value with this function it prevents a value being output inside a <textarea<
from closing the <textarea>
element and outputting its own HTML.
Use this function when outputting a value inside a <textarea>
element.
esc_html()
and esc_attr()
also have versions ending in __()
, _e()
and _x()
. These are for outputting translatable strings.
WordPress has functions, __()
, _e()
and _x()
, for outputting text that can be translated. __()
returns a translatable string, _e()
echoes a translatable string, and _x()
returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
add a comment |
up vote
9
down vote
esc_html()
escapes a string so that it is not parsed as HTML. Characters like <
are converted to <
, for example. This will look the same to the reader, but it means that if the value being output is <script>
then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr()
escapes a string so that it's safe to use in an HTML attribute, like class=""
for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script>
and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url()
escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href=""
or src=""
attribute.
esc_textarea()
escapes a value so that it's safe to use in a <textarea>
element. By escaping a value with this function it prevents a value being output inside a <textarea<
from closing the <textarea>
element and outputting its own HTML.
Use this function when outputting a value inside a <textarea>
element.
esc_html()
and esc_attr()
also have versions ending in __()
, _e()
and _x()
. These are for outputting translatable strings.
WordPress has functions, __()
, _e()
and _x()
, for outputting text that can be translated. __()
returns a translatable string, _e()
echoes a translatable string, and _x()
returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
add a comment |
up vote
9
down vote
up vote
9
down vote
esc_html()
escapes a string so that it is not parsed as HTML. Characters like <
are converted to <
, for example. This will look the same to the reader, but it means that if the value being output is <script>
then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr()
escapes a string so that it's safe to use in an HTML attribute, like class=""
for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script>
and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url()
escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href=""
or src=""
attribute.
esc_textarea()
escapes a value so that it's safe to use in a <textarea>
element. By escaping a value with this function it prevents a value being output inside a <textarea<
from closing the <textarea>
element and outputting its own HTML.
Use this function when outputting a value inside a <textarea>
element.
esc_html()
and esc_attr()
also have versions ending in __()
, _e()
and _x()
. These are for outputting translatable strings.
WordPress has functions, __()
, _e()
and _x()
, for outputting text that can be translated. __()
returns a translatable string, _e()
echoes a translatable string, and _x()
returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
esc_html()
escapes a string so that it is not parsed as HTML. Characters like <
are converted to <
, for example. This will look the same to the reader, but it means that if the value being output is <script>
then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr()
escapes a string so that it's safe to use in an HTML attribute, like class=""
for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script>
and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url()
escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href=""
or src=""
attribute.
esc_textarea()
escapes a value so that it's safe to use in a <textarea>
element. By escaping a value with this function it prevents a value being output inside a <textarea<
from closing the <textarea>
element and outputting its own HTML.
Use this function when outputting a value inside a <textarea>
element.
esc_html()
and esc_attr()
also have versions ending in __()
, _e()
and _x()
. These are for outputting translatable strings.
WordPress has functions, __()
, _e()
and _x()
, for outputting text that can be translated. __()
returns a translatable string, _e()
echoes a translatable string, and _x()
returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered Dec 7 at 16:28
Jacob Peattie
15k41826
15k41826
add a comment |
add a comment |
up vote
3
down vote
esc_html
would be used inside of html for example between a <p>
tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr
would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e
to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e
there is also __
which does the same as _e
but doesnt echo it so you can store it in a variable.
New contributor
2
_e
is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
up vote
3
down vote
esc_html
would be used inside of html for example between a <p>
tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr
would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e
to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e
there is also __
which does the same as _e
but doesnt echo it so you can store it in a variable.
New contributor
2
_e
is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
up vote
3
down vote
up vote
3
down vote
esc_html
would be used inside of html for example between a <p>
tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr
would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e
to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e
there is also __
which does the same as _e
but doesnt echo it so you can store it in a variable.
New contributor
esc_html
would be used inside of html for example between a <p>
tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr
would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e
to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e
there is also __
which does the same as _e
but doesnt echo it so you can store it in a variable.
New contributor
edited Dec 7 at 16:25
New contributor
answered Dec 7 at 16:04
jrmd
1315
1315
New contributor
New contributor
2
_e
is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
2
_e
is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
2
2
_e
is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.– Jacob Peattie
Dec 7 at 16:12
_e
is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to WordPress Development Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10