admin管理员组

文章数量:1305033

When I add wordpress escaping code like esc_attr_e to below variable, it writes text instead of html code to my browser:

   <?php echo esc_attr_e( $redux_demo['editor-text-header-left'], 'hekim' ); ?>

when I remove the escaping code, the variable gives html code.

now, it gives the below text:

<a href="#"><i class="fa fa-medkit text-thm2"></i> Help | </a><a href="#">Forum | </a><a href="#">Skype | </a><a href="#">Mon - Sat 9.00 - 19.00</a>

How can I escape it correctly?

When I add wordpress escaping code like esc_attr_e to below variable, it writes text instead of html code to my browser:

   <?php echo esc_attr_e( $redux_demo['editor-text-header-left'], 'hekim' ); ?>

when I remove the escaping code, the variable gives html code.

now, it gives the below text:

<a href="#"><i class="fa fa-medkit text-thm2"></i> Help | </a><a href="#">Forum | </a><a href="#">Skype | </a><a href="#">Mon - Sat 9.00 - 19.00</a>

How can I escape it correctly?

  • escaping
Share Improve this question asked May 26, 2020 at 19:42 Faruk rızaFaruk rıza 982 silver badges11 bronze badges 4
  • It's doing what it's supposed to, esc_attr and esc_attr_r are for use inside attributes, There is no single escaping function, rather you have to use the one appropriate for your situation. Additionally, esc_attr_e is not shorthand for echo esc_attr( it's actually a part of the translation API aka echo esc_attr( __(, you should not be passing HTML strings into the translation APIs. – Tom J Nowell Commented May 26, 2020 at 20:04
  • @TomJNowell I changed it to <?php echo esc_html( $redux_demo['editor-text-header-left']); ?> but it still gives text.Can you give an example for this variable? I am new in escaping issues – Faruk rıza Commented May 26, 2020 at 20:20
  • The whole point of esc_html is to print text instead of HTML. If you want to allow any HTML, then it shouldn't be escaped. – Jacob Peattie Commented May 27, 2020 at 0:05
  • esc_html isn't intended to print out HTML tags, it's for printing out text that shouldn't have HTML in it. As Jacob said, if you want to allow anything then it isn't possible to escape ( allowing anything means it's unescaped by definition ). Your HTML fragment is too complex too escape, and this is not the right location to do escaping, it's too high up the chain. Escaping needs to be granular, so don't escape a menu, escape the attributes on the tags, and the labels etc, not the whole thing all at once – Tom J Nowell Commented May 27, 2020 at 8:48
Add a comment  | 

1 Answer 1

Reset to default 2

There are several issues here:

  1. echo esc_attr_e should be just esc_attr_e, the _e means it already echo's
  2. esc_attr_e is not just an escaping function, it's a localisation API, it's shorthand for echo esc_attr( __(
  3. esc_attr strips out HTML, it's intended for use inside HTML attributes where HTML tags are not allowed.
  4. You must never pass variables and dynamic values into localisation functions

If you want to escape a string that contains basic HTML such as paragraphs etc, use wp_kses_post, e.g.:

echo wp_kses_post( $redux_demo['editor-text-header-left'] );

本文标签: Escaping crashes my output

版权声明:本文标题:Escaping crashes my output 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741796663a2397976.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。