diff --git a/security/escaping-output.md b/security/escaping-output.md index ff36d2b..16679a8 100644 --- a/security/escaping-output.md +++ b/security/escaping-output.md @@ -29,7 +29,9 @@ WordPress thankfully has a few helper functions we can use for most of what we `esc_attr()` can be used on everything else that's printed into an HTML element's attribute. -@todo example for esc_attr() +``` +Click me +``` It's important to note that most WordPress functions properly prepare the data for output, and you don't need to escape again. @@ -39,6 +41,14 @@ It's important to note that most WordPress functions properly prepare the data f @todo include note of wp_post_kses() +Special case when working on *textarea*. While applying wp_kses will delete
html tag and newlines will not be preserved, there is a trick to do it. + +``` +
+ echo trim( str_replace( '%newline%', '
', wp_kses( str_replace( '
', '%newline%', $string ), '' ) ) ); +
+``` + ### Conclusion Whenever you're rendering data from the database, you'll want to make sure it's properly escaped. Escaping helps prevent issues like cross-site scripting.