Escaping Data

// instead the _e(), __() or _x() use the escaped version

_e('Email Summary', 'duplicator-pro');

// this escaped version is safe to use

esc_html_e('Email Summary', 'duplicator-pro');

?>

// This block is not safe to use since the data is not being escaped before echoing

<h2 class="<?php echo $customStyle ?>">

	<?php _e('Email Summary', 'duplicator-pro') ?>

</h2>

<i class="fas fa-question-circle" data-tooltip="<?php _e('Help', 'duplicator-pro') ?>"></i>

<a href="<?php echo DUP_SITE_URL ?>">Link</a>

<button onclick="DupPro.Pack.OpenPackTransfer(<?php echo $package->ID ?>);"></button>

// This block is safe to use since the data is escaped

<h2 class="<?php echo esc_attr($customStyle) ?>">

	<?php esc_html_e('Email Summary', 'duplicator-pro') ?>

</h2>

<i class="fas fa-question-circle" data-tooltip="<?php esc_attr_e('Help', 'duplicator-pro') ?>"></i>

<a href="<?php echo esc_url(DUP_SITE_URL) ?>"><?php esc_html_e('Link', 'duplicator-pro') ?></a>

<button onclick="DupPro.Pack.OpenPackTransfer(<?php echo esc_js($package->ID) ?>);"></button>

<?php

	_e('The <b>bold</b> text is important', 'duplicator-pro');

	printf(

		esc_html_x(

			'The %1$sbold%2$s text is important',

			'%1$s and %2$s represent the opening and closing bold tags',

			'duplicator-pro'

		),

		'<b>',

		'</b>'

	);

// Needs clarification

echo esc_html(get_date_from_gmt($package->Created)) // is this nesting good?

echo trim(str_replace(',', "<br/>", $package->Database->FilterTables)) // how to escape this if the returned string contains html elements like <br/>

echo DUP_PRO_Package::format_and_get_local_date_time($package->Created, $packagesViewData['package_ui_created']) // this is already very long, wrapping this with esc_html will make it even longer. Should this go into a variable?

echo implode("<br/>", $package->Database->info->collationList) // Again the returned string conatains html. How to best handle this?

echo BuildComponents::displayComponentsList($package->components, "</br>")

echo $store->getSTypeIcon() // This returns an <img> element. wp_kses, wpdocs_allowed_html, wpdocs_output_img?

echo $progress_html // Contains html

$idHtml = strlen($tplData['idRow']) ? 'id="' . esc_attr($tplData['idRow']) . '" ' : '' ; // $idHtml is already escaped, double escaping doesn't make sense is adding a comment for phpcs to ignore an option?

?>

<tr <?php echo $idHtml; ?>>

// When inserting data with PHP to JavaScript escape the values using esc_js()

// Note, for wp_create_nonce() function make sure it is in single quotes as shown below, double quotes won't work

<script>

	DupPro.Pack.Transfer.GetPackageState = function () {

            var package_id = <?php echo esc_js($package->ID); ?>;

            var data = {

                action: '',

                package_id: package_id,

                nonce: '<?php echo esc_js(wp_create_nonce('duplicator_pro_packages_details_transfer_get_package_vm')); ?>'

            };

            $.ajax();

	}

</script>