Clarification Please. Escaping Dynamic Content.

tips-and-tricks

#1

Hi,

I’ve been soft rejected a couple of times for “Escaping Dynamic Content”. After the last time, I need some clarification.

Does this example below need escaping at the point of echo $output and if so, what would I use… wp_kses?

$output = '';
$output .= '
'; $output .= ''; $output .= ''. esc_html( $titlevar ) .''; $output .= ''; $output .= '
'; echo $output;

Thank you.


#2

There’s no need for wp_kses here. The rejection might be due to not escaping translated strings, e.g.

__( 'My content..', 'text-domain' );

should be

esc_html__( 'My content..', 'text-domain' );

#3

SubatomicThemes is right, however the impression I got is the reviewers search for ‘echo $’ and soft reject if anything comes up :pensive:

I eventually used wp_kses on any HTML output to be safe, seems to have done the trick.


#4

I guess its a quick way of for the reviewers to check, even though sometimes it makes no sense, like in the @ACODA’s example above. I guess you could leave a comment at the end of the line:

echo $content; // Note to reviewer: All user input has been escaped. See above :)

#5

Thanks for the reply.

All translation fields are escaped too.

I can’t work out, if because I’ve now used a variable ( $output ) that contains HTML, that $output itself, now needs to be escaped? If that’s the case, it would explain they say do a global search for ‘echo $’. Confused!


#6

Did you use a specific array for wp_kses?


#7

You just list out what is needed in terms of your HTML output. I used this for my widgets:

array( 'br' => array( 'class' => array() ) , 'small' => array( 'class' => array() ) , 'h1' => array( 'class' => array(), 'style' => array() ) , 'h2' => array( 'class' => array(), 'style' => array() ) , 'h3' => array( 'class' => array(), 'style' => array() ) , 'h4' => array( 'class' => array(), 'style' => array() ) , 'h5' => array( 'class' => array() ) , 'h6' => array( 'class' => array() ) , 'li' => array( 'class' => array() ) , 'small' => array( 'class' => array() ) , 'ul' => array( 'class' => array() ) , 'a' => array( 'class' => array(), 'href' => array() ) , 'i' => array( 'class' => array(), 'style' => array(), 'id' => array() ) , 'div' => array( 'class' => array(), 'style' => array(), 'id' => array() ) , 'span' => array( 'class' => array(), 'style' => array(), 'id' => array() ) , 'img' => array( 'width' => array(), 'height' => array(), 'alt' => array(), 'src' => array(), 'class' => array(), 'style' => array(), 'id' => array() ) , 'href' => array( 'class' => array(), 'style' => array(), 'id' => array() ) )