Usage of esc_url, esc_html, esc_attr ... functions

Part 1

According to the documentation - Validating, Sanitizing, and Escaping by WP VIP team.

Guiding Principles

Never trust user input.
Escape as late as possible.
Escape everything from untrusted sources (like databases and users), third-parties (like Twitter), etc.
Never assume anything.
Never trust user input.
Sanitation is okay, but validation/rejection is better.
Never trust user input.

“Escaping isn’t only about protecting from bad guys. It’s just making our software durable. Against random bad input, against malicious input, or against bad weather.” –nb

Part 2

Codex entry for esc_html
Codex entry for esc_attr

According to the article - Introduction to WordPress Front End Security: Escaping the Things by Andy Adams from CSS-Tricks.

Function: esc_html

Used for: Output that should have absolutely no HTML in the output.

What it does: Converts HTML special characters (such as <, >, &) into their "escaped" entity (<, >, &).

Function: esc_attr

Used for: Output being used in the context of an HTML attribute (think "title", "data-" fields, "alt" text).

What it does: The exact same thing as esc_html. The only difference is that different WordPress filters are applied to each function.

CodeHunter

Usage of esc_url, esc_html, esc_attr ... functions

Part 1

Part 2

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last