Escaping WordPress Output

By: Ryan Kienstra on: January 3, 2015  in: Security, WordPress VIP

escaping WordPress output iconNever assume anything.

That’s a core principle of the WordPress VIP Standards.

Don’t assume that data is secure.

  • Even if it was validated on input.
  • Even if an administrator entered it.

Almost all PHP values should be escaped when they’re echoed.

This will guard against malicious scripts.

And ensure that the display isn’t broken by the wrong characters.

Late Escaping

Escape a value where it’s echoed.

This is required for VIP themes and plugins.

In the example below, $anchor_text is escaped inline.

<input type=“text“ id=“anchor_text“ value=“<?php echo esc_attr( $anchor_text ); ?>“ name=“wle_plugin_options[anchor_text]“ placeholder=“<?php _e( ‘Read more‘ , ‘widget-live-editor‘ ); ?>“/>

(From my Widget Live Editor plugin)

It only takes one look to know this is escaped.

And the code can be changed without security issues.

Common Escaping Functions


esc_html( $html )

The most common function for html output.

<span class=“customize-control-title“><?php echo esc_html( $this->label ); ?></span>

(From my Widget Live Editor plugin)


esc_attr( $attribute )

  • Used for most tag attributes.
  • The same as esc_html, but uses the attribute_escape filter.
<textarea name=“<?php echo esc_attr( $name_header_extra_markup ); ?>“ rows=“10“ cols=“55“>

(From my “Adapter” theme)


esc_url( $url )

  • Returns false if $url doesn’t use the right protocol (http, https, etc.).
  • Strips dangerous characters.
<input type="text" value="<?php echo esc_url( $video_url ); ?>" id="<?php echo esc_attr( $this->get_field_id( 'video_url' ) ); ?>" class="widefat" name="<?php echo esc_attr( $this->get_field_name( 'video_url' ) ); ?>" placeholder="e.g. www.youtube.com/watch?v=mOXRZ0eYSA0" \>

(From my Adapter Responsive Video plugin)


esc_textarea( $input )

  • Crucial for textarea boxes.
  • You’ll see right away if you didn’t use it.
<textarea name=“<?php echo esc_attr( $name_header_extra_markup ); ?>“ rows=“10“ cols=“55“> <?php echo esc_textarea( get_theme_mod( $name_header_extra _markup ) ); ?> </textarea>

(From my “Adapter” theme)


Exceptions

Some WordPress functions handle the escaping for you.

Many of these start with the_ , like the_permalink() or the_title_attribute().

In the example below, the_permalink() echoes a url into an option tag.

<option value=“<?php the_permalink(); ?>“ <?php selected( $this->value() , get_permalink() , false ); ?>>

(From my Widget Live Editor plugin)

When In Doubt, Escape

WordPress VIP engineer Nick Daugherty has a great article on The Importance Of Escaping All Things.

He even suggests escaping all WordPress functions.

In the example above, I could have used echo esc_url( get_the_permalink() ) instead of the_permalink().

The function the_permalink() echoes, so it can’t be escaped manually.

You can use its similar function, get_the_permalink().

This returns the value, which you can escape and echo.

Functions: the_* vs. get_*

Most functions that start with the_ have a similar function that starts with get_.

For example, the_title() is similar to get_the_title().

You could use echo esc_html( get_the_title() ) instead of the_title().

Ensuring Security

Escape almost all PHP values as they’re echoed. Even if you’ve validated them as input.

By following these WordPress VIP standards, you’ll guard against:

  • Malicious scripts
  • A broken display

What’s your philosophy for escaping WordPress output?

Do you escape everything, including core WordPress functions?

Leave your comment below.

  • This field is for validation purposes and should be left unchanged.

Leave a comment

Get Free Updates

  • This field is for validation purposes and should be left unchanged.