What’s the difference between esc_html, esc_attr, esc_html_e, and so on?












5














I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.



What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?










share|improve this question




















  • 1




    Have you read the documentation?
    – Jacob Peattie
    Dec 7 at 16:06






  • 1




    Yes and that confused me even more :(
    – baldrick
    Dec 7 at 16:10
















5














I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.



What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?










share|improve this question




















  • 1




    Have you read the documentation?
    – Jacob Peattie
    Dec 7 at 16:06






  • 1




    Yes and that confused me even more :(
    – baldrick
    Dec 7 at 16:10














5












5








5


3





I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.



What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?










share|improve this question















I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.



What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?







functions escaping






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 7 at 19:32









Howdy_McGee

13.2k1354123




13.2k1354123










asked Dec 7 at 15:59









baldrick

365




365








  • 1




    Have you read the documentation?
    – Jacob Peattie
    Dec 7 at 16:06






  • 1




    Yes and that confused me even more :(
    – baldrick
    Dec 7 at 16:10














  • 1




    Have you read the documentation?
    – Jacob Peattie
    Dec 7 at 16:06






  • 1




    Yes and that confused me even more :(
    – baldrick
    Dec 7 at 16:10








1




1




Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06




Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06




1




1




Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10




Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10










2 Answers
2






active

oldest

votes


















9














esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



Use this function whenever the value being output should not contain HTML.



esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



Use this function when outputting a value inside an HTML attribute.



esc_url() escapes a string to make sure that it's a valid URL.



Use this function when outputting a value inside an href="" or src="" attribute.



esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



Use this function when outputting a value inside a <textarea> element.



esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



Use these functions when outputting translatable strings.






share|improve this answer





























    3














    esc_html would be used inside of html for example between a <p> tag



    <p><?php echo esc_html( $some_variable ); ?></p>


    esc_attr would be used for escaping attribute values on html tags like so:



    <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


    applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



    <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

    <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


    in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.






    share|improve this answer



















    • 2




      _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
      – Jacob Peattie
      Dec 7 at 16:12










    • @JacobPeattie my bad, i'll update... EDIT Fixed
      – jrmd
      Dec 7 at 16:23













    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "110"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    9














    esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



    Use this function whenever the value being output should not contain HTML.



    esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



    Use this function when outputting a value inside an HTML attribute.



    esc_url() escapes a string to make sure that it's a valid URL.



    Use this function when outputting a value inside an href="" or src="" attribute.



    esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



    Use this function when outputting a value inside a <textarea> element.



    esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



    WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



    Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



    Use these functions when outputting translatable strings.






    share|improve this answer


























      9














      esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



      Use this function whenever the value being output should not contain HTML.



      esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



      Use this function when outputting a value inside an HTML attribute.



      esc_url() escapes a string to make sure that it's a valid URL.



      Use this function when outputting a value inside an href="" or src="" attribute.



      esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



      Use this function when outputting a value inside a <textarea> element.



      esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



      WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



      Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



      Use these functions when outputting translatable strings.






      share|improve this answer
























        9












        9








        9






        esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



        Use this function whenever the value being output should not contain HTML.



        esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



        Use this function when outputting a value inside an HTML attribute.



        esc_url() escapes a string to make sure that it's a valid URL.



        Use this function when outputting a value inside an href="" or src="" attribute.



        esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



        Use this function when outputting a value inside a <textarea> element.



        esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



        WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



        Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



        Use these functions when outputting translatable strings.






        share|improve this answer












        esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to &lt;, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.



        Use this function whenever the value being output should not contain HTML.



        esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.



        Use this function when outputting a value inside an HTML attribute.



        esc_url() escapes a string to make sure that it's a valid URL.



        Use this function when outputting a value inside an href="" or src="" attribute.



        esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.



        Use this function when outputting a value inside a <textarea> element.



        esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.



        WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.



        Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.



        Use these functions when outputting translatable strings.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 7 at 16:28









        Jacob Peattie

        15.1k41826




        15.1k41826

























            3














            esc_html would be used inside of html for example between a <p> tag



            <p><?php echo esc_html( $some_variable ); ?></p>


            esc_attr would be used for escaping attribute values on html tags like so:



            <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


            applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



            <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

            <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


            in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.






            share|improve this answer



















            • 2




              _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
              – Jacob Peattie
              Dec 7 at 16:12










            • @JacobPeattie my bad, i'll update... EDIT Fixed
              – jrmd
              Dec 7 at 16:23


















            3














            esc_html would be used inside of html for example between a <p> tag



            <p><?php echo esc_html( $some_variable ); ?></p>


            esc_attr would be used for escaping attribute values on html tags like so:



            <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


            applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



            <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

            <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


            in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.






            share|improve this answer



















            • 2




              _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
              – Jacob Peattie
              Dec 7 at 16:12










            • @JacobPeattie my bad, i'll update... EDIT Fixed
              – jrmd
              Dec 7 at 16:23
















            3












            3








            3






            esc_html would be used inside of html for example between a <p> tag



            <p><?php echo esc_html( $some_variable ); ?></p>


            esc_attr would be used for escaping attribute values on html tags like so:



            <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


            applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



            <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

            <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


            in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.






            share|improve this answer














            esc_html would be used inside of html for example between a <p> tag



            <p><?php echo esc_html( $some_variable ); ?></p>


            esc_attr would be used for escaping attribute values on html tags like so:



            <p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>


            applying _e to the end is for using it with text domains and will automatically echo it for you e.g:



            <p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>

            <p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>


            in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 7 at 16:25

























            answered Dec 7 at 16:04









            jrmd

            1315




            1315








            • 2




              _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
              – Jacob Peattie
              Dec 7 at 16:12










            • @JacobPeattie my bad, i'll update... EDIT Fixed
              – jrmd
              Dec 7 at 16:23
















            • 2




              _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
              – Jacob Peattie
              Dec 7 at 16:12










            • @JacobPeattie my bad, i'll update... EDIT Fixed
              – jrmd
              Dec 7 at 16:23










            2




            2




            _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
            – Jacob Peattie
            Dec 7 at 16:12




            _e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
            – Jacob Peattie
            Dec 7 at 16:12












            @JacobPeattie my bad, i'll update... EDIT Fixed
            – jrmd
            Dec 7 at 16:23






            @JacobPeattie my bad, i'll update... EDIT Fixed
            – jrmd
            Dec 7 at 16:23




















            draft saved

            draft discarded




















































            Thanks for contributing an answer to WordPress Development Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

            How to change which sound is reproduced for terminal bell?

            Can I use Tabulator js library in my java Spring + Thymeleaf project?