What is Escaping?
Escaping means securing output in simple terms.
It is necessary to prevent XSS attacks also it ensure that the data correctly display to user as expected.
It changes special HTML characters into HTML entities, displaying them rather than executing them.
For example, Facebook escapes chat messages while showing them. To ensure that users do not execute code on one another’s computers.
WordPress includes functions for escaping various types of data.
- esc_html()
- esc_textarea()
- esc_attr()
- esc_url()
- esc_url_raw()
- esc_js()
- esc_xml()
- antispambot()
- Conclusion
esc_html()
This function escapes HTML characters.
Example code:
<?php
echo esc_html("<html>WEBDAV</html>");
//Output "<html>WEBDAV</html>"
esc_textarea()
Use esc_textarea() rather than esc_html() when displaying text in a textarea. Because esc_textarea() can double-encode items.
Example code:
<?php echo esc_textarea( "<span>Some text<br /> for escaping for textarea tag </span>. Some characters: \" ' &"); /*output <span>Some text<br /> for escaping for textarea tag </span>. Some characters: " ' &*/
esc_attr()
This function escapes the value of HTML tag attributes. This function encodes the following characters: <,>, &, “, and ‘. It will never double-encode entities.
Example code:
<input type="text" value="<?php echo esc_attr('Want to do a "br" tag? Do this: <br>'');?>">
//Output will be
<input value="Want to do a "br" tag? Do this: <br>">
esc_url()
This function removes incorrect, harmful characters and encodes them as HTML entities.
For Example If you want to display a URL or a whole <a> tag, you should escape the href attribute to prevent an XSS attack.
Example code:
<?php
$url = "javascript:alert('Click Me')";
?>
<a href="<?php echo esc_url($url);?>">Click here</a>
//Output
<a href="">Click here</a>
esc_url_raw()
it is used to save a URL in a database or for URL redirection. The distinction between esc_url and esc_url_raw is that esc_url_raw does not replace ampersands or single quotes.
Example code:
<?php $url = 'https://webdav.in?param=value'; $secure_url = esc_url_raw( $url ); update_option( 'my_option', $secure_url );
esc_js()
The esc_js function is designed to prevent possible Cross-Site Scripting (XSS) attacks, which can occur when malicious scripts are inserted into trustworthy websites.
The esc_js function accepts a string as input and produces a new string with specified characters replaced with escape sequences. JavaScript recognizes certain escape sequences but does not execute them, preventing potentially hazardous code from executing.
It Escapes single quotes, “, , &, and fixes line endings.
Example Code:
function print_js_in_alert() {
$js_text = "This is malicious code that needs '', & 'escaping' ";
echo '<button onclick="alert(\'' . esc_js($js_text ) . '\')">Click me</button>';
}
print_js_in_alert();
//Output This is malicious code that needs '', & 'escaping'
esc_xml()
WordPress’s esc_xml() function encodes text for safe usage in XML. It transforms certain characters into their corresponding XML entities, which can assist prevent problems with XML processing and presentation. This method is very useful when there is a requirement to produce arbitrary content in XML format, such as RSS feeds or XML sitemaps.
Example Code:
$basic_xml = '<tag>Some content with <, >, &, \', and "</tag>'; echo $output_xml = esc_xml($basic_xml); //Output <tag>Some content with <, >, &, ', and "</tag>
antispambot()
There are many email bots that are continually hunting for email addresses. We may wish to display the email address to people but not have it identified by email bots. Antispambot helps us to accomplish just that.
Antispambot blocks spam bots by converting email address characters to HTML entities.
Example code:
<?php
echo $abc= antispambot("contact@webdav.in", 1);
//Output "%63o%6e%74a%63%74%40w%65bdav.%69n"
Conclusion
If it is not escaped on output, it could be exploited. Never underestimate an attacker’s abilities–they’re master at discovering ways to make the ‘this should never, ever, be conceivable’ happen:). To ensure utmost security, we must escape everything
