Escape when echoed

I've been trying to submit a plugin for review and I keep having problems with the echo line. The last version I sent was like this.

option value=
    ?php _e( '- Default', MF_TEXT_DOMAIN ); ?
/option
?php foreach ( $folders as $folder ) {
    $folder = trim( $folder );
    $folder = esc_attr( $folder );
    echo option value=\{$folder}\{$folder}/option;
} ?

And the WordPress response was:

This is not escaped:

echo option value=\{$folder}\{$folder}/option;

$folder MUST be escaped when it's echo'd.

Now I'm ready to submit the code for review again but first I want to make sure I'm correct.

Here the new code

option value=
    ?php _e( '- Default', MF_TEXT_DOMAIN ); ?
/option
?php foreach ( $folders as $folder ) {
    $folder = trim( $folder );
    echo 'option value=' . esc_attr( $folder ) . '' . esc_attr( $folder ) . '/option';
} ?

I'd be very grateful if someone could help, as I'm a bit confused about the (escaped).

Topic escaping php plugin-development security plugins Wordpress

Category Web

1
answered at

In fact to be super pedantic, I think the correct code is actually:

echo '<option value="' . esc_attr( $folder ) . '">' . esc_html( $folder ) . '</option>';

Since the first variable is an attribute, and the second is encased in html, although I wold bet that the code you have would pass review, and is certainly fit for purpose.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.