What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
up vote
4
down vote
favorite
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?
functions escaping
edited yesterday
Howdy_McGee♦
13.1k1354122
asked yesterday
baldrick
315
New contributor
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
4
down vote
favorite
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?
functions escaping
edited yesterday
Howdy_McGee♦
13.1k1354122
asked yesterday
baldrick
315
New contributor
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Have you read the documentation?
– Jacob Peattie
yesterday
Yes and that confused me even more :(
– baldrick
yesterday
add a comment |
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?
functions escaping
edited yesterday
Howdy_McGee♦
13.1k1354122
asked yesterday
baldrick
315
New contributor
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?
functions escaping
functions escaping
edited yesterday
Howdy_McGee♦
13.1k1354122
asked yesterday
baldrick
315
New contributor
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Howdy_McGee♦
13.1k1354122
asked yesterday
baldrick
315
New contributor
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Howdy_McGee♦
13.1k1354122
edited yesterday
Howdy_McGee♦
13.1k1354122
edited yesterday
Howdy_McGee♦
13.1k1354122
13.1k1354122
asked yesterday
baldrick
315
New contributor
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
baldrick
315
asked yesterday
baldrick
315
315
New contributor
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
baldrick is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Have you read the documentation?
– Jacob Peattie
yesterday
Yes and that confused me even more :(
– baldrick
yesterday
add a comment |
1
Have you read the documentation?
– Jacob Peattie
yesterday
Yes and that confused me even more :(
– baldrick
yesterday
1
1
Have you read the documentation?
– Jacob Peattie
yesterday
Have you read the documentation?
– Jacob Peattie
yesterday
Yes and that confused me even more :(
– baldrick
yesterday
Yes and that confused me even more :(
– baldrick
yesterday
add a comment |
2 Answers
2
active
oldest
votes
up vote
6
down vote
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered yesterday
Jacob Peattie
14.9k41826
add a comment |
up vote
3
down vote
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered yesterday
jrmd
1315
New contributor
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
yesterday
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
yesterday
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered yesterday
Jacob Peattie
14.9k41826
add a comment |
up vote
6
down vote
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered yesterday
Jacob Peattie
14.9k41826
add a comment |
up vote
6
down vote
up vote
6
down vote
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered yesterday
Jacob Peattie
14.9k41826
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered yesterday
Jacob Peattie
14.9k41826
answered yesterday
Jacob Peattie
14.9k41826
answered yesterday
Jacob Peattie
14.9k41826
answered yesterday
Jacob Peattie
14.9k41826
14.9k41826
add a comment |
add a comment |
up vote
3
down vote
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered yesterday
jrmd
1315
New contributor
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
yesterday
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
yesterday
add a comment |
up vote
3
down vote
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered yesterday
jrmd
1315
New contributor
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
yesterday
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
yesterday
add a comment |
up vote
3
down vote
up vote
3
down vote
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered yesterday
jrmd
1315
New contributor
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered yesterday
jrmd
1315
New contributor
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
answered yesterday
jrmd
1315
New contributor
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
jrmd
1315
answered yesterday
jrmd
1315
1315
New contributor
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
jrmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
yesterday
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
yesterday
add a comment |
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
yesterday
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
yesterday
2
2
_e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.– Jacob Peattie
yesterday
_e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.– Jacob Peattie
yesterday
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
yesterday
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
yesterday
add a comment |
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
baldrick is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to WordPress Development Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Have you read the documentation?
– Jacob Peattie
yesterday
Yes and that confused me even more :(
– baldrick
yesterday