Home / Admin / Escaping Data
Duplicate Snippet

Embed Snippet on Your Site

Escaping Data

Code Preview
// instead the _e(), __() or _x() use the escaped version
_e('Email Summary', 'duplicator-pro');
// this escaped version is safe to use
esc_html_e('Email Summary', 'duplicator-pro');
// This block is not safe to use since the data is not being escaped before echoing
<h2 class="<?php echo $customStyle ?>">
	<?php _e('Email Summary', 'duplicator-pro') ?>
<i class="fas fa-question-circle" data-tooltip="<?php _e('Help', 'duplicator-pro') ?>"></i>
<a href="<?php echo DUP_SITE_URL ?>">Link</a>
<button onclick="DupPro.Pack.OpenPackTransfer(<?php echo $package->ID ?>);"></button>
// This block is safe to use since the data is escaped
<h2 class="<?php echo esc_attr($customStyle) ?>">
	<?php esc_html_e('Email Summary', 'duplicator-pro') ?>
<i class="fas fa-question-circle" data-tooltip="<?php esc_attr_e('Help', 'duplicator-pro') ?>"></i>
<a href="<?php echo esc_url(DUP_SITE_URL) ?>"><?php esc_html_e('Link', 'duplicator-pro') ?></a>
<button onclick="DupPro.Pack.OpenPackTransfer(<?php echo esc_js($package->ID) ?>);"></button>
	_e('The <b>bold</b> text is important', 'duplicator-pro');
			'The %1$sbold%2$s text is important',
			'%1$s and %2$s represent the opening and closing bold tags',
// Needs clarification
echo esc_html(get_date_from_gmt($package->Created)) // is this nesting good?
echo trim(str_replace(',', "<br/>", $package->Database->FilterTables)) // how to escape this if the returned string contains html elements like <br/>
echo DUP_PRO_Package::format_and_get_local_date_time($package->Created, $packagesViewData['package_ui_created']) // this is already very long, wrapping this with esc_html will make it even longer. Should this go into a variable?
echo implode("<br/>", $package->Database->info->collationList) // Again the returned string conatains html. How to best handle this?
echo BuildComponents::displayComponentsList($package->components, "</br>")
echo $store->getSTypeIcon() // This returns an <img> element. wp_kses, wpdocs_allowed_html, wpdocs_output_img?
echo $progress_html // Contains html
$idHtml = strlen($tplData['idRow']) ? 'id="' . esc_attr($tplData['idRow']) . '" ' : '' ; // $idHtml is already escaped, double escaping doesn't make sense is adding a comment for phpcs to ignore an option?
<tr <?php echo $idHtml; ?>>
// When inserting data with PHP to JavaScript escape the values using esc_js()
// Note, for wp_create_nonce() function make sure it is in single quotes as shown below, double quotes won't work
	DupPro.Pack.Transfer.GetPackageState = function () {
            var package_id = <?php echo esc_js($package->ID); ?>;
            var data = {
                action: '',
                package_id: package_id,
                nonce: '<?php echo esc_js(wp_create_nonce('duplicator_pro_packages_details_transfer_get_package_vm')); ?>'


Add a Comment