Merry Christmas! Enjoy 20% OFF on Bundle of 240+ WP Themes with code "GIFT20" at Checkout.
BUY NOW (1)
Unwrap savings this Christmas! Get 25% OFF on Premium WordPress Themes. Use code "XMAS25" at Checkout.

Don’t Get Confused With Data Link Escape In WordPress

When you create WordPress themes to be used on different sites, you need to be careful about handling the data that is coming into WordPress as well as the data that you are presenting to users. Escaping data in WordPress is something that you need to consider.

Escaping

We can call escaping as securing output. You can prevent the XSS attack by escaping the data link in WordPress. It also ensures the display of data the way the user wants.

You can convert the special HTML characters into HTML entities by escaping them so that, rather than being executed, they are displayed.

Example: While displaying the chat messages, Facebook escapes them. They do this to ensure that the users do not run code on one another’s computers.

Escaping depends completely on the setting in which you are utilizing the functions. What is alright to display inside <h1> labels, is not really safe to show for the value attribute of an information field, and even that wouldn’t really be sheltered as an href attribute value.

In short, perform the sanitization yourself as you output it. Though in the case of the_title() or get_the_title(), esc_html is not necessary since WordPress applies the following functions:

convert_chars
wptexturize

Note: the_title prints the title – so esc_html ( the_title () ) won’t work. Similarly, the_content prints the content (in any case, you’d expect the content to display HTML).

It depends on what you’re doing, actually. Escaping should be done on any unknown variables on output.

For example, there’s no need to escape this:

if ( 1 === get_theme_mod( 'some_number', 1 ) )

    echo 'Hello';

However, you’d escape this:

echo esc_url( get_theme_mod( 'some_url', 'http://wordpress.org' ) );
Should get_theme_mod() be escaped?  Possibly.A better question is should variables be escaped on output or should variables be sanitized on input?  Yes, to both.

Sanitizing

We can call sanitation the cleaning of user input. This process involves the removal of texts, characters, or codes from the input, which are not allowed.

Validating

We can call validation the process of checking user input. The purpose of validating is to see whether the user has entered a valid value or not.