Esc_url () and Wordpress Security?

Question

Esc_url () and Wordpress Security?

Can someone explain when to use the escaping functions?

My goal is to protect my Wordpress theme. I used the clean Chris Coyer theme and added the code to make the site I wanted. I noticed that other themes used screening functions, but not an empty Coyier theme, so I want to understand where to insert them.

After reading the results of Codex and google and studying the code of several topics, I still do not understand when to use

esc_url()  
esc_attr()  
esc_html()

I do not see a usage pattern. For example, in one topic for home_url ('/') - note that esc_url is used in header.php, but not in searchform.php - Why?

header.php

<a href=
// NOTICE ESCAPING FUNCTION BELOW
"<?php echo esc_url( home_url( '/' ) ); ?>"
title="<?php echo esc_attr( get_bloginfo( 'name', 'display' ) ); ?>" rel="home"><?php bloginfo( 'name' ); ?></a>

searchform.php

<form role="search" method="get" id="searchform" action=
// NO ESCAPING FUNCTION BELOW
"<?php echo home_url( '/' ); ?>"
>

+4

php wordpress wordpress-theming

leko Jul 23 '14 at 16:49

source share

3

Joseph Hansen · Answer 1 · 2015-06-01T21:03:55+0000

. , , - , HTML.

, , , .

, escape-, - URL- Wordpress. URL- Wordpress, escape- .

, URL- , ,

<?php echo get_permalink() . '?order=time' ?>

escape, URL.

<?php echo esc_url(get_permalink() . '?order=time') ?>

, add_query_string,

<?php echo add_query_arg('order', 'time', get_permalink()) ?>

escape, URL- Wordpress.

escape header.php. , , , , , .

, , Wordpress codex: https://codex.wordpress.org/Data_Validation

John · Answer 2 · 2014-07-23T17:53:28+0000

escape- wordpress , wordpress. , , .. escape-.

Avinash babu · Answer 3 · 2014-07-23T17:56:22+0000

You need to use the wordpress launch features for any custom content insertion, as John says.

Take a look at the link I provided to learn about Wordpress's exit features.

http://codeseekah.com/2012/03/13/wordpress-escape-functions/

Esc_url () and Wordpress Security?

More articles: