What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?
functions escaping
edited Dec 7 at 19:32
Howdy_McGee♦
13.2k1354123
asked Dec 7 at 15:59
baldrick
365
add a comment |
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?
functions escaping
edited Dec 7 at 19:32
Howdy_McGee♦
13.2k1354123
asked Dec 7 at 15:59
baldrick
365
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
1
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
add a comment |
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?
functions escaping
edited Dec 7 at 19:32
Howdy_McGee♦
13.2k1354123
asked Dec 7 at 15:59
baldrick
365
I got feedback from security guy and he pointed out that I should use proper escaping of user input in my code. So I've done some research and found escaping functions.
What’s the difference between them?
When should I use esc_html() and when esc_attr()?
And when should I use these functions with _e() at the end?
functions escaping
functions escaping
edited Dec 7 at 19:32
Howdy_McGee♦
13.2k1354123
asked Dec 7 at 15:59
baldrick
365
edited Dec 7 at 19:32
Howdy_McGee♦
13.2k1354123
asked Dec 7 at 15:59
baldrick
365
edited Dec 7 at 19:32
Howdy_McGee♦
13.2k1354123
edited Dec 7 at 19:32
Howdy_McGee♦
13.2k1354123
edited Dec 7 at 19:32
Howdy_McGee♦
13.2k1354123
13.2k1354123
asked Dec 7 at 15:59
baldrick
365
asked Dec 7 at 15:59
baldrick
365
asked Dec 7 at 15:59
baldrick
365
365
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
1
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
add a comment |
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
1
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
1
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
1
1
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10
add a comment |
2 Answers
2
active
oldest
votes
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered Dec 7 at 16:28
Jacob Peattie
15.1k41826
add a comment |
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered Dec 7 at 16:04
jrmd
1315
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "110"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered Dec 7 at 16:28
Jacob Peattie
15.1k41826
add a comment |
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered Dec 7 at 16:28
Jacob Peattie
15.1k41826
add a comment |
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered Dec 7 at 16:28
Jacob Peattie
15.1k41826
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won't be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr() escapes a string so that it's safe to use in an HTML attribute, like class="" for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script> and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won't be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url() escapes a string to make sure that it's a valid URL.
Use this function when outputting a value inside an href="" or src="" attribute.
esc_textarea() escapes a value so that it's safe to use in a <textarea> element. By escaping a value with this function it prevents a value being output inside a <textarea< from closing the <textarea> element and outputting its own HTML.
Use this function when outputting a value inside a <textarea> element.
esc_html() and esc_attr() also have versions ending in __(), _e() and _x(). These are for outputting translatable strings.
WordPress has functions, __(), _e() and _x(), for outputting text that can be translated. __() returns a translatable string, _e() echoes a translatable string, and _x() returns a translatable string with a given context. You've probably seen them before.
Since you can't necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can't cause the same issue described above.
Use these functions when outputting translatable strings.
answered Dec 7 at 16:28
Jacob Peattie
15.1k41826
answered Dec 7 at 16:28
Jacob Peattie
15.1k41826
answered Dec 7 at 16:28
Jacob Peattie
15.1k41826
answered Dec 7 at 16:28
Jacob Peattie
15.1k41826
15.1k41826
add a comment |
add a comment |
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered Dec 7 at 16:04
jrmd
1315
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered Dec 7 at 16:04
jrmd
1315
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered Dec 7 at 16:04
jrmd
1315
esc_html would be used inside of html for example between a <p> tag
<p><?php echo esc_html( $some_variable ); ?></p>
esc_attr would be used for escaping attribute values on html tags like so:
<p my-attribute="<?php echo esc_attr( $some_variable ); ?>"></p>
applying _e to the end is for using it with text domains and will automatically echo it for you e.g:
<p><?php esc_html_e( 'some-text', 'text-domain' ); ?></p>
<p my-attribute="<?php esc_attr_e( 'some-text', 'text-domain' ); ?>"></p>
in addition to _e there is also __ which does the same as _e but doesnt echo it so you can store it in a variable.
answered Dec 7 at 16:04
jrmd
1315
edited Dec 7 at 16:25
answered Dec 7 at 16:04
jrmd
1315
answered Dec 7 at 16:04
jrmd
1315
answered Dec 7 at 16:04
jrmd
1315
1315
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
2
_eis not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.
– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
2
2
_e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.– Jacob Peattie
Dec 7 at 16:12
_e is not just for echoing, it's for localisation. So it should only be used when a string is passed to the function, and should include a text domain. Your last example is misusing it.– Jacob Peattie
Dec 7 at 16:12
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
@JacobPeattie my bad, i'll update... EDIT Fixed
– jrmd
Dec 7 at 16:23
add a comment |
Thanks for contributing an answer to WordPress Development Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f321307%2fwhat-s-the-difference-between-esc-html-esc-attr-esc-html-e-and-so-on%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Have you read the documentation?
– Jacob Peattie
Dec 7 at 16:06
1
Yes and that confused me even more :(
– baldrick
Dec 7 at 16:10