skip to Main Content

I’ve been trying to submit a plugin for review and I keep having problems with the echo line.
The last version I sent was like this.

<option value="">
    <?php _e( '- Default', MF_TEXT_DOMAIN ); ?>
</option>
<?php foreach ( $folders as $folder ) {
    $folder = trim( $folder );
    $folder = esc_attr( $folder );
    echo "<option value="{$folder}">{$folder}</option>";
} ?>

And the WordPress response was:

This is not escaped:

echo "<option value="{$folder}">{$folder}</option>";

$folder MUST be escaped when it’s echo’d.

Now I’m ready to submit the code for review again but first I want to make sure I’m correct.

Here the new code

<option value="">
    <?php _e( '- Default', MF_TEXT_DOMAIN ); ?>
</option>
<?php foreach ( $folders as $folder ) {
    $folder = trim( $folder );
    echo '<option value="' . esc_attr( $folder ) . '">' . esc_attr( $folder ) . '</option>';
} ?>

I’d be very grateful if someone could help, as I’m a bit confused about the (escaped).

2

Answers


  1. According to the developer documents, everything must be escaped for security reasons. Here are the escaping function WordPress provides for different data:

    esc_attr()      // Use on everything else that’s printed into an HTML element’s attribute.
    esc_html()      // Use anytime an HTML element encloses a section of data being displayed. This WILL NOT display HTML content, it is meant for being used inside HTML and will remove your HTML.
    esc_js()        // Use for inline Javascript.
    esc_textarea()  // Use this to encode text for use inside a textarea element.
    esc_url()       // Use on all URLs, including those in the src and href attributes of an HTML element.
    esc_url_raw()   // Use when storing a URL in the database or in other cases where non-encoded URLs are needed.
    wp_kses()       // Use to safely escape for all non-trusted HTML (post text, comment text, etc.)
    wp_kses_post()  // Alternative version of wp_kses() that automatically allows all HTML that is permitted in post content.
    wp_kses_data()  // Alternative version of wp_kses() that allows only the HTML permitted in post comments.
    

    Here is the official documentation if you want to read more into it.

    https://developer.wordpress.org/apis/security/escaping/

    Login or Signup to reply.
  2. I think you already found your answer still I have few clarifications in this topic and I have optimized the code with escaping

    <option value="">
        <?php esc_html_e( '- Default', MF_TEXT_DOMAIN ); ?>
    </option>
    <?php foreach ( $folders as $folder ) {
        $folder = trim( $folder );
        echo '<option value="' . esc_attr( $folder ) . '">' . esc_html( $folder ) . '</option>';
    } ?>
    

    You must escape the options text which will show in the front view then it must be escaped by esc_html. In the first line you can see I have escaped the _e function using esc_html_e because it is also necessary to escape all the static text.

    And lastly for best practice I always use html code in html part and php code in php tag area. Here is the optimized code for better understanding.

    <option value="">
        <?php esc_html_e( '- Default', MF_TEXT_DOMAIN ); ?>
    </option>
    <?php foreach ( $folders as $folder ) {
        $folder = trim( $folder );
        ?>
        <option value="<?php echo esc_attr( $folder ); ?>"><?php echo esc_html( $folder ); ?></option>
    <?php } ?>
    

    It may take more php tags but it is best practice to place your code as php and html separately. I hope it will help you.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search