admin管理员组

文章数量:1334944

Should the value of functions such as the_permalink() be escaped before outputting to the browser? For example, do I need to escape the following?

<a href="<?php the_permalink(); ?>">Link text</a>

I'm aware I should escape user-submitted data etc but is it safe to assume WordPress has escaped data in core functions such as this already?

The solution could be this:

<a href="<?php echo esc_attr( get_permalink() ); ?>">Link text</a>

But why should I do that if WordPress has already escaped the data upstream?

Should the value of functions such as the_permalink() be escaped before outputting to the browser? For example, do I need to escape the following?

<a href="<?php the_permalink(); ?>">Link text</a>

I'm aware I should escape user-submitted data etc but is it safe to assume WordPress has escaped data in core functions such as this already?

The solution could be this:

<a href="<?php echo esc_attr( get_permalink() ); ?>">Link text</a>

But why should I do that if WordPress has already escaped the data upstream?

  • php
  • functions
Share Improve this question edited Jun 27, 2016 at 9:49 henrywright asked Jun 27, 2016 at 9:23 henrywrighthenrywright 3,1076 gold badges39 silver badges65 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 4

The WordPress Codex says:

It's important to note that most WordPress functions properly prepare the data for output, and you don't need to escape again.

For example the_permalink() already escapes the output with:

echo esc_url( apply_filters( 'the_permalink', get_permalink( $post ), $post ) );

so you don't need to do that yourself here. But the get_the_permalink() function doesn't: 

return get_permalink( $post, $leavename );

Neither does the get_permalink() function:

return apply_filters( 'post_link', $permalink, $post, $leavename );

They are not specific display functions.

WordPress uses filters all around the code base, to make it possible for themes and plugins to adjust the output of various core functions. Here are some possible (edge case) examples:

add_filter( 'post_link', function( $link )
{
    return get_option( 'some_url' );
}, PHP_INT_MAX );

or even:

add_filter( 'post_link', function( $link )
{
    return get_post_meta( 1, 'some_url', true );
}, PHP_INT_MAX );

So if we are displaying the output of get_permalink() directly, we should escape it with e.g.

<a href="<?php echo esc_url( get_permalink() );?>">...</a>

But in general I think it would be better to escape the output of a core function if we don't know how it handles it, but it shouldn't be too much work to just check it out.

本文标签: phpShould the value of core functions be escaped before outputting

版权声明:本文标题:php - Should the value of core functions be escaped before outputting? 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742378817a2463703.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。