The following works but isn't up to snuff with PHP Code Sniffer WordPress coding standards <?php esc_html_e( ADDRESS, 'wprig' ); ?> Linter yells at me with: [WordPress.WP.I18n.NonSingularStringLiteralText] The $text arg must be a single string literal, not "ADDRESS". The following, for aforementioned error, also don't work: <?php esc_html_e( (string)ADDRESS, 'wprig' ); ?> <?php esc_html_e( strval(ADDRESS), 'wprig' ); ?> <?php esc_attr_e( ADDRESS, 'wprig' ); ?> I know constants can be exploited so it is needed. Any way to make this work …
I've been trying to submit a plugin for review and I keep having problems with the echo line. The last version I sent was like this. <option value=""> <?php _e( '- Default', MF_TEXT_DOMAIN ); ?> </option> <?php foreach ( $folders as $folder ) { $folder = trim( $folder ); $folder = esc_attr( $folder ); echo "<option value=\"{$folder}\">{$folder}</option>"; } ?> And the WordPress response was: This is not escaped: echo "<option value=\"{$folder}\">{$folder}</option>"; $folder MUST be escaped when it's echo'd. Now I'm …
In WordPress they recommend that I should escape any part of the code of my plugin that shows data to the user, I have made most of the corrections but this specific case I don't know how to escape that echo. Please help. <option value=""> <?php _e( '- Default', MF_TEXT_DOMAIN ); ?> </option> <?php foreach ( $folders as $folder ) { $folder = trim( $folder ); echo "<option value=\"{$folder}\">{$folder}</option>"; } ?>
Hi I'm kind of new to WordPress. I have come across this issue lately when running my webpages from my WordPress server. I have this piece of code that clears any white spaces in the text input field. But after uploading it to the server directory, the backslashes in that peice of code is stripped away. The same happens to js file as well. Due to this I'm unable to use the js \n character at all. <script> $(document).ready(function(){ $("input#MobileNo").on({ …
https://developer.wordpress.org/plugins/security/securing-output/ describes wp_kses_post as: Alternative version of wp_kses() that automatically allows all HTML that is permitted in post content. But, that's not correct. As far as I can tell, absolutely any HTML is accepted into post content, whereas wp_kses_post excludes many tags: script, style, iframe, meta, etc. So, is this description wrong or is my understanding wrong? Themes and plugins require escaping, so if you really want to allow all the same HTML that the post editor allows on a …
I'm creating a WordPress theme in which I've allowed users to add some custom css from the Theme Options. This css code then directly gets echoed out in the head section of the page, with the following code: add_action('wp_head', 'theme_dynamic_css'); function theme_dynamic_css(){ global $my_theme_options; $custom_css = ''; if (isset($my_theme_options['custom-css'])) { $custom_css .= $my_theme_options['custom-css']."\r\n"; } echo '<style id="my-theme-custom-css">'.$custom_css.'</style>'; } Should I be using esc_html(); here? At first I assumed if the code is between the style tags, then it shouldn't be …
I added a snippet to my functions.php file to add credit card icons in the woocommerce checkout page. The icons are in my media library so I added the url of the image. This is not an input and it will not be changed, should I escape it anyway? the code: add_action ('woocommerce_review_order_before_submit', 'my_custom_woocommerce_icons'); function my_custom_woocommerce_icons() { $icons = '<div class="checkout-icons-container"> <img src="https://mywebsite.com/wp-content/uploads/2022/01/visa02.png" alt="visa" /> <img src="https://mywebsite.com/wp-content/uploads/2022/01/mastercard.png" alt="mastercard"/> </div>'; echo $icons; }
I am very new to wordpress development. When I submitted my plugin for review it was rejected because "Variables and options must be escaped when echo'd". How do i escape the following 2 blocks of code? <label for="<?php echo $this->plugin_name . '-' . $switch['id']; ?>"> and echo "<style>img[ci-src] {opacity: 0;} img.ci-image-loaded {opacity: 1;}</style>";
I see a lot of these in premium themes/plugins. #1 - Why would you escape this? It's your own data. For consistency? function prefix_a() { $class_attr = 'a b c'; // Some more code. return '<div class="' . esc_attr( $class_attr ) . '">Content</div>'; } // Called somewhere. prefix_a(); #2 - Again, why? The data doesn't come from the DB. function prefix_b( $class ) { // Some code. return '<div class="' . esc_attr( $class ) . '">Content</div>'; } // Called by …
i am a little confused how to use escape function on a variable having html code in it. i have tried this https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data but i could not figure it out. here is my code: $output = '<p>'; $output .= '<label for="' . esc_attr( $this->get_field_id( 'title' ) ) . '">Title:</label>'; $output .= '<input type="text" class="widefat" id="' . esc_attr( $this->get_field_id( 'title' ) ) . '" name="' . esc_attr( $this->get_field_name( 'title' ) ) . '" value="' . esc_attr( $title ) . '"'; $output …
I am working on securing the content read from a file via the fread() function. private function readfile_chunked($file) { $chunksize = 1024 * 1024; // Open Resume $handle = @fopen($file, 'r'); if (false === $handle) { return FALSE; } while (!@feof($handle)) { $content = @fread($handle, $chunksize); echo wp_kses_post( $content); if (ob_get_length()) { ob_flush(); flush(); } } return @fclose($handle); } The aforementioned wp_kses_post($content) is suggested by the WP plugin review team to secure the file content as well. But this solution …
I am a bit confused in properly escaping html and attributes while preparing HTML string in jQuery. This is my current approach $.ajax({ type: 'POST', success:function(response){ var html = ''; if( response ){ $.each(response,function(key,value){ html += '<tr>'; html += '<td>'; html += '<input type="hidden" name="'+key+'" value="tf_'+value+'" />'; html += '<div class="tf-wrapper">'+value+'</div>'; html += '</td>'; html += '</tr>'; }); } var table = $('#content_table'); table.find('tbody').append(html); }, error: function(a, b, c){ alert('error'); } }); The ajax callback in PHP would be public …
Why, in the register_nav_menus() functions (from Twenty Twenty One functions.php), do we find esc_html__() on the primary menu but not on secondary menu, like below : register_nav_menus( array( 'primary' => esc_html__( 'Primary menu', 'twentytwentyone' ), 'footer' => __( 'Secondary menu', 'twentytwentyone' ), ) ); I understand that esc_html() "retrieve the translation of $text and escapes it for safe use in HTML output", as explained in WordPress codex, but why is it used on the first menu and not on the …
I have submitted a plugin to the WordPress repo, they have come back and said I need to escape the values in my email sending code NOT sanitize. So I'm confused what function they want me to use. Can you provide advice on the best escape function I should use for an email and plain text? Existing code they want me to escape and not sanitize: $message = " ... <li><strong>Email:</strong> " . sanitize_email($_REQUEST['email']) . "</li> <li><strong>Name: </strong> " . …
esc_url, esc_attr & esc_html are used to escape content that is untrusted so that potentially malicious code isn't executed. Can wp_strip_all_tags be used as an alternative? If not, why?
I created wordpress page template and i want to add this css code only in to inside of this template only.for the security concern should i escape?. can anyone help me to solve this?. here is the code i used. <?php $style = "<style type='text/css'> .post-related {position: relative; width: 21.333%!important;} </style>"; echo $style ; ?>
I'm creating a template for comments on my WordPress site. I noticed that a simple <script>alert(1);</script> slips through the default WP codex implementation of comments, using the comment_text() function to display my comments. No bueno. How can i properly sanitize and/or escape WordPress comments? The esc_html() function, seems to do nothing in this case.
I'm writing a very simple social share plugin for a client. I'm using these two functions to display the share buttons at the bottom of each post: <?php /** * Social buttons */ function zss_share_buttons() { ?> <div class="zss"> <div id="fb-root"></div> <script> (function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.0"; fjs.parentNode.insertBefore(js, fjs); } (document, 'script', 'facebook-jssdk')); </script> <div class="fb-share-button" data-href="<?php the_permalink(); ?>" data-layout="button_count" data-lazy="true"></div> <a href="https://twitter.com/share?url=<?php the_permalink(); …