escaping and translating clarification

  • Resolved sprowt

    (@sprowt)


    4 years ago

    hi ??

    i have a basic understanding of escaping and translating.

    what is confusing me is why this is escaped but not this.

    is it because the first example is output to an admin page? escaping HTML makes more sense to me when a url or form is involved.

    HTML appears to be escaped in a few wordpress theme files but not nearly as much as in others where it’s just being translated, not also escaped.

    i’d like to have a better grasp of how and when each is used.

    thanks so much for your time <3

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    Hiya sprowt,

    All content from the user or the DB should be escaped on output, admin page or not. Hardcoded, static strings do not require escaping as there is no opportunity to inject malicious code. Translated strings could be considered “static” if you trust the translators. I don’t think that’s generally a good idea, better safe than sorry.

    Some WP functions may escape content themselves, so there could be more escaping going on than is readily apparent.

    I don’t know if this will help any:
    https://developer.www.ads-software.com/plugins/security/securing-output/

    Thread Starter sprowt

    (@sprowt)

    hey BC ??

    yes, you’re always helpful, thank you!

    i’ll be sure to follow the directives in the link you sent.

    have a great week <3

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘escaping and translating clarification’ is closed to new replies.