I’ve been trying to submit a plugin for review and I keep having problems with the echo line.
The last version I sent was like this.
<option value="">
<?php _e( '- Default', MF_TEXT_DOMAIN ); ?>
</option>
<?php foreach ( $folders as $folder ) {
$folder = trim( $folder );
$folder = esc_attr( $folder );
echo "<option value="{$folder}">{$folder}</option>";
} ?>
And the WordPress response was:
This is not escaped:
echo "<option value="{$folder}">{$folder}</option>";
$folder MUST be escaped when it’s echo’d.
Now I’m ready to submit the code for review again but first I want to make sure I’m correct.
Here the new code
<option value="">
<?php _e( '- Default', MF_TEXT_DOMAIN ); ?>
</option>
<?php foreach ( $folders as $folder ) {
$folder = trim( $folder );
echo '<option value="' . esc_attr( $folder ) . '">' . esc_attr( $folder ) . '</option>';
} ?>
I’d be very grateful if someone could help, as I’m a bit confused about the (escaped).
2
Answers
According to the developer documents, everything must be escaped for security reasons. Here are the escaping function WordPress provides for different data:
Here is the official documentation if you want to read more into it.
https://developer.wordpress.org/apis/security/escaping/
I think you already found your answer still I have few clarifications in this topic and I have optimized the code with escaping
You must escape the options text which will show in the front view then it must be escaped by esc_html. In the first line you can see I have escaped the
_e
function usingesc_html_e
because it is also necessary to escape all the static text.And lastly for best practice I always use html code in html part and php code in php tag area. Here is the optimized code for better understanding.
It may take more php tags but it is best practice to place your code as php and html separately. I hope it will help you.