Home / Admin / Escaping Data
Duplicate Snippet

Embed Snippet on Your Site

Escaping Data

Code Preview
php
<?php
// instead the _e(), __() or _x() use the escaped version
_e('Email Summary', 'duplicator-pro');
// this escaped version is safe to use
esc_html_e('Email Summary', 'duplicator-pro');
?>
	
// This block is not safe to use since the data is not being escaped before echoing
<h2 class="<?php echo $customStyle ?>">
	<?php _e('Email Summary', 'duplicator-pro') ?>
</h2>
<i class="fas fa-question-circle" data-tooltip="<?php _e('Help', 'duplicator-pro') ?>"></i>
<a href="<?php echo DUP_SITE_URL ?>">Link</a>
<button onclick="DupPro.Pack.OpenPackTransfer(<?php echo $package->ID ?>);"></button>
// This block is safe to use since the data is escaped
<h2 class="<?php echo esc_attr($customStyle) ?>">
	<?php esc_html_e('Email Summary', 'duplicator-pro') ?>
</h2>
<i class="fas fa-question-circle" data-tooltip="<?php esc_attr_e('Help', 'duplicator-pro') ?>"></i>
<a href="<?php echo esc_url(DUP_SITE_URL) ?>"><?php esc_html_e('Link', 'duplicator-pro') ?></a>
<button onclick="DupPro.Pack.OpenPackTransfer(<?php echo esc_js($package->ID) ?>);"></button>
	
<?php
	_e('The <b>bold</b> text is important', 'duplicator-pro');
	printf(
		esc_html_x(
			'The %1$sbold%2$s text is important',
			'%1$s and %2$s represent the opening and closing bold tags',
			'duplicator-pro'
		),
		'<b>',
		'</b>'
	);
	
// Needs clarification
echo esc_html(get_date_from_gmt($package->Created)) // is this nesting good?
echo trim(str_replace(',', "<br/>", $package->Database->FilterTables)) // how to escape this if the returned string contains html elements like <br/>
echo DUP_PRO_Package::format_and_get_local_date_time($package->Created, $packagesViewData['package_ui_created']) // this is already very long, wrapping this with esc_html will make it even longer. Should this go into a variable?
echo implode("<br/>", $package->Database->info->collationList) // Again the returned string conatains html. How to best handle this?
echo BuildComponents::displayComponentsList($package->components, "</br>")
echo $store->getSTypeIcon() // This returns an <img> element. wp_kses, wpdocs_allowed_html, wpdocs_output_img?
echo $progress_html // Contains html
	
$idHtml = strlen($tplData['idRow']) ? 'id="' . esc_attr($tplData['idRow']) . '" ' : '' ; // $idHtml is already escaped, double escaping doesn't make sense is adding a comment for phpcs to ignore an option?
?>
<tr <?php echo $idHtml; ?>>
	
	
// When inserting data with PHP to JavaScript escape the values using esc_js()
// Note, for wp_create_nonce() function make sure it is in single quotes as shown below, double quotes won't work
<script>
	DupPro.Pack.Transfer.GetPackageState = function () {
            var package_id = <?php echo esc_js($package->ID); ?>;
            var data = {
                action: '',
                package_id: package_id,
                nonce: '<?php echo esc_js(wp_create_nonce('duplicator_pro_packages_details_transfer_get_package_vm')); ?>'
            };
            $.ajax();
	}
</script>

Comments

Add a Comment