admin管理员组文章数量:1277394
I'm looking through _s (underscores) starter theme and see that they're using esc_html for nearly everything. Just an example from functions.php
register_nav_menus( array(
'primary' => esc_html__( 'Primary', '_s' ),
) );
register_sidebar( array(
'name' => esc_html__( 'Sidebar', '_s' ),
'id' => 'sidebar-1',
'description' => esc_html__( 'Add widgets here.', '_s' ),
'before_widget' => '<section id="%1$s" class="widget %2$s">',
'after_widget' => '</section>',
'before_title' => '<h2 class="widget-title">',
'after_title' => '</h2>',
) );
My current understanding of esc_html is to use it when we output either data from the database or user input.
Why escape the names of the menu and sidebar?
It's only available to people that have access to the php files and it doesn't appear to be put into the db. I looked through the db and couldn't find anything related to the names, please correct me if I'm wrong.
Is the underscores theme just being overly cautious about everything?
Thanks
I'm looking through _s (underscores) starter theme and see that they're using esc_html for nearly everything. Just an example from functions.php
register_nav_menus( array(
'primary' => esc_html__( 'Primary', '_s' ),
) );
register_sidebar( array(
'name' => esc_html__( 'Sidebar', '_s' ),
'id' => 'sidebar-1',
'description' => esc_html__( 'Add widgets here.', '_s' ),
'before_widget' => '<section id="%1$s" class="widget %2$s">',
'after_widget' => '</section>',
'before_title' => '<h2 class="widget-title">',
'after_title' => '</h2>',
) );
My current understanding of esc_html is to use it when we output either data from the database or user input.
Why escape the names of the menu and sidebar?
It's only available to people that have access to the php files and it doesn't appear to be put into the db. I looked through the db and couldn't find anything related to the names, please correct me if I'm wrong.
Is the underscores theme just being overly cautious about everything?
Thanks
Share Improve this question edited Nov 2, 2016 at 22:11 John_911 asked Nov 2, 2016 at 22:00 John_911John_911 5662 gold badges4 silver badges15 bronze badges 5 |4 Answers
Reset to default 6esc_html() does two things:
- Checks for invalid UTF8 in a string.
- Converts a number of special characters into their HTML entities, specifically deals with: &, <, >, “, and ‘.
Using it instead of __(), _e and other i18n functions protects your website from possible errors that can occur with unaware translators who may use text that contains (1) invalid UTF8 characters or (2) unwanted HTML code. Trust me, many translators will be tempted to use some 'nice' HTML tags like <i>, <b> etc, even worse, they won't close them correctly.
esc_html__( string $text, string $domain = 'default' )
Retrieve the translation of $text and escapes it for safe use in HTML output.
so esc_html__() use to make internationalize as well as security purpose
https://codex.wordpress/Function_Reference/esc_html_2
The waters are muddy here. OP's question asks about esc_html(), but his code clearly uses esc_html__(). These are not the same. The accepted answer is wrong: it refers to esc_html(), which deals with safely escaping HTML blocks. Kanon Chowdhury's reply should be the accepted answer, because OP's code deals with the I18n aspects of the Underscores WordPress starter theme (which uses the esc_html__() function).
esc_html() and esc_html__() are NOT the same functions. The main difference is, esc_html() takes just one string and returns an escaped HTML string. On the other hand, esc_html__() takes 2 strings as parameters and returns a translated and escaped string.
The accepted answer is incorrect, indeed.
本文标签: securityCan someone explain the use cases of eschtml
版权声明:本文标题:security - Can someone explain the use cases of esc_html? 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741280832a2369997.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
esc_htmlinstead ofesc_html__- note the double underscores at the end. – John_911 Commented Nov 2, 2016 at 22:15