Last active
August 21, 2018 12:43
-
-
Save annelyse/2b4a45cb73699a3458e43b5eff2c280b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
esc_html() is more or less lossless — it just turns HTML markup into encoded visible text, so that it's not rendered as markup by browser. | |
Semantically it's escape, so it's meant to be used to make output to page safe. | |
sanitize_text_field() however actually removes all HTML markup, as well as extra whitespace. It leaves nothing but plain text. | |
Semantically it's sanitize, so it's meant to be used to make input being saved safe. | |
<h4><?php the_title(); ?></h4> don't need to be escape | |
get_the_title should be escaped. | |
Super admins and administrators have the ability to enter arbitrary HTML in the title field, but that doesn’t prevent problems from appearing, for example: | |
A rogue administrator adds a script tag with malicious javscript | |
A hacker manages to change the title via an exploit | |
A compromised plugin uses a filter to change the title | |
A broken plugin allows it to be changed | |
A hacker has broken into Redis/APC/Memcached and modified the cache | |
File based caches have been compromised | |
All of this is a non-issue with escaping, which makes sure what’s outputted is what you expected. That doesn’t mean you can’t let users put HTML in there, as long as you specify which tags are allowed | |
To display the title safely, do this: | |
echo esc_html( get_the_title() ); | |
And if you want the title to include HTML tags: | |
echo wp_kses_post( get_the_title() ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment