What’s the difference between esc_html, esc_attr, esc_html_e, and so on?











up vote
4
down vote

favorite
1












I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.



What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?










share|improve this question









New contributor




baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1




    Have you read the documentation?
    – Jacob Peattie
    Dec 7 at 16:06










  • Yes and that confused me even more :(
    – baldrick
    Dec 7 at 16:10















up vote
4
down vote

favorite
1












I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.



What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?










share|improve this question









New contributor




baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1




    Have you read the documentation?
    – Jacob Peattie
    Dec 7 at 16:06










  • Yes and that confused me even more :(
    – baldrick
    Dec 7 at 16:10













up vote
4
down vote

favorite
1









up vote
4
down vote

favorite
1






1





I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.



What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?










share|improve this question









New contributor




baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.



What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?







functions escaping






share|improve this question









New contributor




baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited Dec 7 at 19:32









Howdy_McGee

13.1k1354123




13.1k1354123






New contributor




baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Dec 7 at 15:59









baldrick

315




315




New contributor




baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 1




    Have you read the documentation?
    – Jacob Peattie
    Dec 7 at 16:06










  • Yes and that confused me even more :(
    – baldrick
    Dec 7 at 16:10














  • 1




    Have you read the documentation?
    – Jacob Peattie
    Dec 7 at 16:06










  • Yes and that confused me even more :(
    – baldrick
    Dec 7 at 16:10








1




1




Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06




Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06












Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10




Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10










2 Answers
2






active

oldest

votes

















up vote
9
down vote













esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



Use this function whenever the value being output should not contain HTML.



esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



Use this function when outputting a value inside an HTML attribute.



esc_url() escapes a string to make sure that it's a valid URL.



Use this function when outputting a value inside an href="" or src="" attribute.



esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



Use this function when outputting a value inside a <textarea> element.



esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



Use these functions when outputting translatable strings.






share|improve this answer




























    up vote
    3
    down vote













    esc_html would be used inside of html for example between a <p> tag



    <p><?php echo esc_html( $some_variable ); ?></p>


    esc_attr would be used for escaping attribute values on html tags like so:



    <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


    applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



    <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

    <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


    in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.






    share|improve this answer










    New contributor




    jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.














    • 2




      _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
      – Jacob Peattie
      Dec 7 at 16:12










    • @JacobPeattie my bad, i'll update... EDIT Fixed
      – jrmd
      Dec 7 at 16:23













    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "110"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    baldrick is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    9
    down vote













    esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



    Use this function whenever the value being output should not contain HTML.



    esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



    Use this function when outputting a value inside an HTML attribute.



    esc_url() escapes a string to make sure that it's a valid URL.



    Use this function when outputting a value inside an href="" or src="" attribute.



    esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



    Use this function when outputting a value inside a <textarea> element.



    esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



    WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



    Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



    Use these functions when outputting translatable strings.






    share|improve this answer

























      up vote
      9
      down vote













      esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



      Use this function whenever the value being output should not contain HTML.



      esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



      Use this function when outputting a value inside an HTML attribute.



      esc_url() escapes a string to make sure that it's a valid URL.



      Use this function when outputting a value inside an href="" or src="" attribute.



      esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



      Use this function when outputting a value inside a <textarea> element.



      esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



      WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



      Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



      Use these functions when outputting translatable strings.






      share|improve this answer























        up vote
        9
        down vote










        up vote
        9
        down vote









        esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



        Use this function whenever the value being output should not contain HTML.



        esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



        Use this function when outputting a value inside an HTML attribute.



        esc_url() escapes a string to make sure that it's a valid URL.



        Use this function when outputting a value inside an href="" or src="" attribute.



        esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



        Use this function when outputting a value inside a <textarea> element.



        esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



        WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



        Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



        Use these functions when outputting translatable strings.






        share|improve this answer












        esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



        Use this function whenever the value being output should not contain HTML.



        esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



        Use this function when outputting a value inside an HTML attribute.



        esc_url() escapes a string to make sure that it's a valid URL.



        Use this function when outputting a value inside an href="" or src="" attribute.



        esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



        Use this function when outputting a value inside a <textarea> element.



        esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



        WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



        Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



        Use these functions when outputting translatable strings.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 7 at 16:28









        Jacob Peattie

        15k41826




        15k41826
























            up vote
            3
            down vote













            esc_html would be used inside of html for example between a <p> tag



            <p><?php echo esc_html( $some_variable ); ?></p>


            esc_attr would be used for escaping attribute values on html tags like so:



            <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


            applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



            <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

            <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


            in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.






            share|improve this answer










            New contributor




            jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.














            • 2




              _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
              – Jacob Peattie
              Dec 7 at 16:12










            • @JacobPeattie my bad, i'll update... EDIT Fixed
              – jrmd
              Dec 7 at 16:23

















            up vote
            3
            down vote













            esc_html would be used inside of html for example between a <p> tag



            <p><?php echo esc_html( $some_variable ); ?></p>


            esc_attr would be used for escaping attribute values on html tags like so:



            <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


            applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



            <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

            <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


            in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.






            share|improve this answer










            New contributor




            jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.














            • 2




              _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
              – Jacob Peattie
              Dec 7 at 16:12










            • @JacobPeattie my bad, i'll update... EDIT Fixed
              – jrmd
              Dec 7 at 16:23















            up vote
            3
            down vote










            up vote
            3
            down vote









            esc_html would be used inside of html for example between a <p> tag



            <p><?php echo esc_html( $some_variable ); ?></p>


            esc_attr would be used for escaping attribute values on html tags like so:



            <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


            applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



            <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

            <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


            in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.






            share|improve this answer










            New contributor




            jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            esc_html would be used inside of html for example between a <p> tag



            <p><?php echo esc_html( $some_variable ); ?></p>


            esc_attr would be used for escaping attribute values on html tags like so:



            <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


            applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



            <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

            <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


            in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.







            share|improve this answer










            New contributor




            jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            share|improve this answer



            share|improve this answer








            edited Dec 7 at 16:25





















            New contributor




            jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            answered Dec 7 at 16:04









            jrmd

            1315




            1315




            New contributor




            jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





            New contributor





            jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.






            jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.








            • 2




              _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
              – Jacob Peattie
              Dec 7 at 16:12










            • @JacobPeattie my bad, i'll update... EDIT Fixed
              – jrmd
              Dec 7 at 16:23
















            • 2




              _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
              – Jacob Peattie
              Dec 7 at 16:12










            • @JacobPeattie my bad, i'll update... EDIT Fixed
              – jrmd
              Dec 7 at 16:23










            2




            2




            _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
            – Jacob Peattie
            Dec 7 at 16:12




            _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
            – Jacob Peattie
            Dec 7 at 16:12












            @JacobPeattie my bad, i'll update... EDIT Fixed
            – jrmd
            Dec 7 at 16:23






            @JacobPeattie my bad, i'll update... EDIT Fixed
            – jrmd
            Dec 7 at 16:23












            baldrick is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            baldrick is a new contributor. Be nice, and check out our Code of Conduct.













            baldrick is a new contributor. Be nice, and check out our Code of Conduct.












            baldrick is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to WordPress Development Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            數位音樂下載

            When can things happen in Etherscan, such as the picture below?

            格利澤436b