Deprecated clean_url() in favor of esc_url(), and deprecated sanitize_url() in favor of esc_url_raw().
Tagged: escaping RSS
-
Mark Jaquith
-
Mark Jaquith
Deprecated
wp_specialchars()in favor ofesc_html()(also:esc_html__()andesc_html_e()). Usingwp_specialchars()with more than one param works for backwards compat. Also,esc_html()(orwp_specialchars()with one param) escapes quotes, just likeesc_attr(). This buys security for plugin authors who were mistakenly using a one-paramwp_specialchars()call in an HTML attribute. See this wp-hackers message for more detail. -
Mark Jaquith
Standardizing and shortening the WP security escaping functions.
attribute_escape()is nowesc_attr()Additionally, you can do attribute escaping and translation in one go. Just add the translation function to the end. Like so:
esc_attr__()— translate and return, attribute-escaped.esc_attr_e()— translate and echo, attribute-escaped.
Will be following up with
esc_html(with__()and_e()variants),esc_url(), maybe some more. Will be nice, short, predictable, and allow you do translate/escape in one go without a lot of nested parenthesis.-
Viper007Bond
An
esc_js()or whatnot might be useful to (i.e. an improvedjs_escape()(see #7648).-
Mark Jaquith
Yes, I meant to include that in the list of “coming soon” ones. Though
js_escape()would continue to work, as wouldattribute_escape()andwp_specialchars().Improvements to
esc_js()néejs_escape()are a separate issue — I’ll take a look at that ticket.
-
-
Leandro Vieira Pinho
Why not escape_attr than esc_attr?. Write escape is more intuitive than esc.
Lloyd Budd 4:48 pm on May 21, 2009 Permalink |
http://codex.wordpress.org/Data_Validation will need an update.