esc_attr( string $text )
Escaping for HTML attributes.
Contents
Description #Description
Parameters #Parameters
- $text
-
(string) (Required)
Return #Return
(string)
Source #Source
File: wp-includes/formatting.php
function esc_attr( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); /** * Filters a string cleaned and escaped for output in an HTML attribute. * * Text passed to esc_attr() is stripped of invalid or special characters * before output. * * @since 2.0.6 * * @param string $safe_text The text after it has been escaped. * @param string $text The text prior to being escaped. */ return apply_filters( 'attribute_escape', $safe_text, $text ); }
Expand full source code Collapse full source code View on Trac
Changelog #Changelog
Version | Description |
---|---|
2.8.0 | Introduced. |
More Information #More Information
Encodes the <, >, &, ” and ‘ (less than, greater than, ampersand, double quote and single quote) characters. Will never double encode entities.
Always use when escaping HTML attributes (especially form values) such as alt, value, title, etc. To escape the value of a translation use esc_attr__() instead; to escape, translate and echo, use esc_attr_e().
Related #Related
Uses #Uses
Uses | Description |
---|---|
wp-includes/formatting.php: attribute_escape |
Filters a string cleaned and escaped for output in an HTML attribute. |
wp-includes/formatting.php: wp_check_invalid_utf8() |
Checks for invalid UTF8 in a string. |
wp-includes/formatting.php: _wp_specialchars() |
Converts a number of special characters into their HTML entities. |
wp-includes/plugin.php: apply_filters() |
Call the functions added to a filter hook. |
Used By #Used By
Used By | Description |
---|---|
wp-includes/blocks/latest-comments.php: render_block_core_latest_comments() |
Renders the |
wp-includes/blocks/archives.php: render_block_core_archives() |
Renders the |
wp-includes/blocks/categories.php: render_block_core_categories() |
Renders the |
wp-includes/blocks/latest-posts.php: render_block_core_latest_posts() |
Renders the |
wp-admin/includes/post.php: the_block_editor_meta_boxes() |
Renders the meta boxes forms. |
wp-admin/includes/post.php: the_block_editor_meta_box_post_form_hidden_fields() |
Renders the hidden form required for the meta boxes form. |
wp-admin/includes/user.php: WP_Privacy_Requests_Table::column_status() |
Status column. |
wp-admin/includes/user.php: WP_Privacy_Requests_Table::single_row() |
Generates content for a single row of the table, |
wp-admin/includes/user.php: WP_Privacy_Data_Export_Requests_Table::column_email() |
Actions column. |
wp-admin/includes/user.php: WP_Privacy_Data_Export_Requests_Table::column_next_steps() |
Displays the next steps column. |
wp-admin/includes/user.php: WP_Privacy_Data_Removal_Requests_Table::column_email() |
Actions column. |
wp-admin/includes/user.php: WP_Privacy_Data_Removal_Requests_Table::column_next_steps() |
Next steps column. |
wp-admin/includes/user.php: WP_Privacy_Requests_Table::column_cb() |
Checkbox column. |
wp-admin/includes/user.php: _wp_personal_data_export_page() |
Personal data export. |
wp-admin/includes/user.php: _wp_personal_data_removal_page() |
Personal data anonymization. |
wp-includes/widgets/class-wp-widget-text.php: WP_Widget_Text::is_legacy_instance() |
Determines whether a given instance is legacy and should bypass using TinyMCE. |
wp-includes/widgets/class-wp-widget-custom-html.php: WP_Widget_Custom_HTML::form() |
Outputs the Custom HTML widget settings form. |
wp-includes/customize/class-wp-customize-nav-menu-locations-control.php: WP_Customize_Nav_Menu_Locations_Control::content_template() |
JS/Underscore template for the control UI. |
wp-includes/customize/class-wp-customize-themes-section.php: WP_Customize_Themes_Section::filter_drawer_content_template() |
Render the filter drawer portion of a themes section as a JS template. |
wp-includes/customize/class-wp-customize-date-time-control.php: WP_Customize_Date_Time_Control::content_template() |
Renders a JS template for the content of date time control. |
wp-admin/press-this.php: wp_load_press_this() | |
wp-admin/includes/misc.php: wp_print_plugin_file_tree() |
Outputs the formatted file list for the plugin editor. |
wp-admin/includes/misc.php: wp_print_theme_file_tree() |
Outputs the formatted file list for the theme editor. |
wp-includes/widgets/class-wp-widget-media.php: WP_Widget_Media::form() |
Outputs the settings update form. |
wp-includes/widgets/class-wp-widget-media.php: WP_Widget_Media::render_control_template_scripts() |
Render form template scripts. |
wp-includes/widgets/class-wp-widget-media-image.php: WP_Widget_Media_Image::render_media() |
Render the media on the frontend. |
wp-includes/class-wp-customize-nav-menus.php: WP_Customize_Nav_Menus::print_post_type_container() |
Print the markup for new menu items. |
wp-includes/customize/class-wp-customize-background-position-control.php: WP_Customize_Background_Position_Control::content_template() |
Render a JS template for the content of the position control. |
wp-includes/general-template.php: wp_resource_hints() |
Prints resource hints to browsers for pre-fetching, pre-rendering and pre-connecting to web sites. |
wp-admin/includes/ms.php: network_edit_site_nav() |
Outputs the HTML for a network’s “Edit Site” tabular interface. |
wp-admin/includes/class-wp-plugins-list-table.php: WP_Plugins_List_Table::search_box() |
Displays the search box. |
wp-includes/class-wp-customize-widgets.php: WP_Customize_Widgets::filter_dynamic_sidebar_params() |
Inject selective refresh data attributes into widget container elements. |
wp-includes/embed.php: get_post_embed_html() |
Retrieves the embed code for a specific post. |
wp-includes/author-template.php: get_the_author_posts_link() |
Retrieves an HTML link to the author page of the current post’s author. |
wp-includes/media.php: wp_image_add_srcset_and_sizes() |
Adds ‘srcset’ and ‘sizes’ attributes to an existing ‘img’ element. |
wp-admin/includes/class-wp-posts-list-table.php: WP_Posts_List_Table::get_edit_link() |
Helper to create links to edit.php with params. |
wp-includes/customize/class-wp-customize-nav-menu-location-control.php: WP_Customize_Nav_Menu_Location_Control::render_content() |
Render content just like a normal select control. |
wp-includes/class-wp-customize-panel.php: WP_Customize_Panel::print_template() |
Render the panel’s JS templates. |
wp-includes/general-template.php: get_language_attributes() |
Gets the language attributes for the html tag. |
wp-includes/class-wp-customize-nav-menus.php: WP_Customize_Nav_Menus::filter_wp_nav_menu() |
Prepares wp_nav_menu() calls for partial refresh. |
wp-includes/customize/class-wp-customize-new-menu-section.php: WP_Customize_New_Menu_Section::render() |
Render the section, and the controls that have been added to it. |
wp-admin/includes/class-wp-posts-list-table.php: WP_Posts_List_Table::handle_row_actions() |
Generates and displays row action links. |
wp-admin/includes/class-wp-posts-list-table.php: WP_Posts_List_Table::column_title() |
Handles the title column output. |
wp-admin/includes/class-wp-links-list-table.php: WP_Links_List_Table::column_cb() |
Handles the checkbox column output. |
wp-admin/includes/class-wp-links-list-table.php: WP_Links_List_Table::column_name() |
Handles the link name column output. |
wp-admin/includes/class-wp-ms-themes-list-table.php: WP_MS_Themes_List_Table::column_name() |
Handles the name column output. |
wp-admin/includes/class-wp-ms-themes-list-table.php: WP_MS_Themes_List_Table::column_description() |
Handles the description column output. |
wp-admin/includes/class-wp-ms-themes-list-table.php: WP_MS_Themes_List_Table::column_cb() |
Handles the checkbox column output. |
wp-admin/includes/class-wp-ms-sites-list-table.php: WP_MS_Sites_List_Table::column_cb() |
Handles the checkbox column output. |
wp-admin/includes/class-wp-terms-list-table.php: WP_Terms_List_Table::handle_row_actions() |
Generates and displays row action links. |
wp-admin/includes/class-wp-ms-users-list-table.php: WP_MS_Users_List_Table::column_cb() |
Handles the checkbox column output. |
wp-admin/includes/class-wp-media-list-table.php: WP_Media_List_Table::column_parent() |
Handles the parent column output. |
wp-admin/includes/class-wp-media-list-table.php: WP_Media_List_Table::column_title() |
Handles the title column output. |
wp-includes/kses.php: wp_kses_one_attr() |
Filters one HTML attribute and ensures its value is allowed. |
wp-includes/customize/class-wp-customize-theme-control.php: WP_Customize_Theme_Control::content_template() |
Render a JS template for theme display. |
wp-includes/l10n.php: wp_dropdown_languages() |
Language selector. |
wp-includes/class-wp-customize-control.php: WP_Customize_Control::input_attrs() |
Render the custom attributes for the control’s input element. |
wp-admin/includes/translation-install.php: wp_install_language_form() |
Output the select form for the language selection on the installation screen. |
wp-login.php: login_header() |
Output the login page header. |
wp-signup.php: show_user_form() |
Display user registration form |
wp-signup.php: signup_blog() |
Setup the new site signup |
wp-signup.php: show_blog_form() |
Generates and displays the Signup and Create Site forms |
wp-admin/includes/network.php: network_step1() |
Prints step 1 for Network installation process. |
wp-admin/install.php: display_setup_form() |
Display installer setup form. |
wp-admin/includes/class-wp-screen.php: WP_Screen::render_screen_layout() |
Render the option for number of columns on the page |
wp-admin/includes/class-wp-screen.php: WP_Screen::render_per_page_options() |
Render the items per page option |
wp-admin/includes/theme.php: get_theme_update_available() |
Retrieve the update link if there is a theme update available. |
wp-admin/includes/class-wp-screen.php: WP_Screen::render_screen_meta() |
Render the screen’s help section. |
wp-admin/includes/class-wp-plugins-list-table.php: WP_Plugins_List_Table::single_row() | |
wp-admin/includes/screen.php: meta_box_prefs() |
Prints the meta box preferences for screen meta. |
wp-admin/includes/class-wp-links-list-table.php: WP_Links_List_Table::display_rows() | |
wp-admin/includes/theme-install.php: install_theme_search_form() |
Display search form for searching themes. |
wp-admin/includes/theme-install.php: install_themes_dashboard() |
Display tags filter for themes. |
wp-admin/includes/class-bulk-upgrader-skin.php: Bulk_Upgrader_Skin::before() | |
wp-admin/includes/class-bulk-upgrader-skin.php: Bulk_Upgrader_Skin::after() | |
wp-admin/includes/class-wp-list-table.php: WP_List_Table::view_switcher() |
Display a view switcher |
wp-admin/includes/class-wp-list-table.php: WP_List_Table::display_tablenav() |
Generate the table navigation above or below the table |
wp-admin/includes/class-wp-list-table.php: WP_List_Table::search_box() |
Displays the search box. |
wp-admin/includes/class-wp-list-table.php: WP_List_Table::bulk_actions() |
Display the bulk actions dropdown. |
wp-admin/includes/class-wp-list-table.php: WP_List_Table::months_dropdown() |
Display a monthly dropdown for filtering items |
wp-admin/includes/ms.php: mu_dropdown_languages() |
Generates and displays a drop-down of available languages. |
wp-admin/includes/class-wp-ms-themes-list-table.php: WP_MS_Themes_List_Table::single_row() | |
wp-admin/includes/misc.php: admin_color_scheme_picker() |
Display the default admin color scheme picker (Used in user-edit.php) |
wp-admin/includes/class-wp-theme-install-list-table.php: WP_Theme_Install_List_Table::install_theme_info() |
Prints the info for a theme (to be used in the theme installer modal). |
wp-admin/includes/taxonomy.php: get_terms_to_edit() |
Get comma-separated list of terms available to edit for the given post ID. |
wp-admin/includes/class-wp-theme-install-list-table.php: WP_Theme_Install_List_Table::single_row() |
Prints a theme from the WordPress.org API. |
wp-admin/includes/update.php: wp_plugin_update_row() |
Displays update information for a plugin. |
wp-admin/includes/update.php: wp_theme_update_row() |
Displays update information for a theme. |
wp-admin/includes/plugin-install.php: install_search_form() |
Displays a search form for searching plugins. |
wp-admin/includes/plugin-install.php: install_plugins_favorites_form() |
Show a username form for the favorites page |
wp-admin/includes/plugin-install.php: install_plugin_information() |
Display plugin information in dialog box form. |
wp-admin/includes/deprecated.php: wp_dashboard_plugins_output() |
Display plugins text for the WordPress news widget. |
wp-admin/includes/dashboard.php: wp_dashboard_recent_posts() |
Generates Publishing Soon and Recently Published sections. |
wp-admin/includes/dashboard.php: wp_dashboard_browser_nag() | |
wp-admin/includes/dashboard.php: _wp_dashboard_control_callback() |
Outputs controls for the current dashboard widget. |
wp-admin/includes/dashboard.php: wp_dashboard_right_now() |
Dashboard widget that displays some basic stats about the site. |
wp-admin/includes/dashboard.php: wp_dashboard_recent_drafts() |
Show recent drafts of the user on the dashboard. |
wp-admin/includes/plugin.php: settings_fields() |
Output nonce, action, and option_page fields for a settings page. |
wp-admin/includes/class-wp-plugin-install-list-table.php: WP_Plugin_Install_List_Table::display_rows() | |
wp-admin/includes/template.php: get_submit_button() |
Returns a submit button, with provided text and appropriate class |
wp-admin/includes/template.php: do_settings_fields() |
Print out the settings fields for a particular settings section. |
wp-admin/includes/template.php: find_posts_div() |
Outputs the modal window used for attaching media to posts or pages in the media-listing screen. |
wp-admin/includes/template.php: the_post_password() |
Displays the post password. |
wp-admin/includes/template.php: _admin_search_query() |
Displays the search query. |
wp-admin/includes/template.php: wp_comment_reply() |
Outputs the in-line comment reply-to form in the Comments list table. |
wp-admin/includes/template.php: _list_meta_row() |
Outputs a single row of public meta data in the Custom Fields meta box. |
wp-admin/includes/template.php: meta_form() |
Prints the form in the Custom Fields meta box. |
wp-admin/includes/template.php: page_template_dropdown() |
Print out option HTML elements for the page templates drop-down. |
wp-admin/includes/template.php: wp_dropdown_roles() |
Print out option html elements for role selectors. |
wp-admin/includes/template.php: do_meta_boxes() |
Meta-Box template function. |
wp-admin/includes/template.php: do_accordion_sections() |
Meta Box Accordion Template Function. |
wp-admin/includes/class-wp-themes-list-table.php: WP_Themes_List_Table::display_rows() | |
wp-admin/includes/class-wp-themes-list-table.php: WP_Themes_List_Table::_js_vars() |
Send required variables to JavaScript land |
wp-admin/includes/class-wp-users-list-table.php: WP_Users_List_Table::single_row() |
Generate HTML for a single row on the users.php admin panel. |
wp-admin/includes/media.php: media_upload_gallery_form() |
Adds gallery form to upload iframe |
wp-admin/includes/media.php: media_upload_library_form() |
Outputs the legacy media upload form for the media library. |
wp-admin/includes/media.php: edit_form_image_editor() |
Displays the image and editor in the post editor |
wp-admin/includes/media.php: attachment_submitbox_metadata() |
Displays non-editable attachment metadata in the publish meta box. |
wp-admin/includes/media.php: get_attachment_fields_to_edit() |
Retrieves the attachment fields to edit form fields. |
wp-admin/includes/media.php: get_media_item() |
Retrieve HTML form for modifying the image attachment. |
wp-admin/includes/media.php: get_compat_media_markup() | |
wp-admin/includes/media.php: media_upload_form_handler() |
Handles form submissions for the legacy media uploader. |
wp-admin/includes/media.php: wp_media_upload_handler() |
Handles the process of uploading media. |
wp-admin/includes/media.php: media_sideload_image() |
Downloads an image from the specified URL and attaches it to a post. |
wp-admin/includes/media.php: image_align_input_fields() |
Retrieve HTML for the image alignment radio buttons with the specified one checked. |
wp-admin/includes/media.php: image_link_input_fields() |
Retrieve HTML for the Link URL buttons with the default link type as specified. |
wp-admin/includes/media.php: the_media_upload_tabs() |
Outputs the legacy media upload tabs UI. |
wp-admin/includes/media.php: get_image_send_to_editor() |
Retrieves the image HTML to send to the editor. |
wp-admin/includes/media.php: media_buttons() |
Adds the media button to the editor |
wp-admin/includes/post.php: _wp_post_thumbnail_html() |
Output HTML for the post thumbnail meta-box. |
wp-admin/includes/ajax-actions.php: wp_ajax_find_posts() |
Ajax handler for querying posts for the Find Posts modal. |
wp-admin/includes/ajax-actions.php: wp_ajax_add_link_category() |
Ajax handler for adding a link category. |
wp-admin/includes/meta-boxes.php: post_trackback_meta_box() |
Display trackback links form fields. |
wp-admin/includes/meta-boxes.php: post_slug_meta_box() |
Display slug form fields. |
wp-admin/includes/meta-boxes.php: page_attributes_meta_box() |
Display page attributes form fields. |
wp-admin/includes/meta-boxes.php: link_xfn_meta_box() |
Display xfn form fields. |
wp-admin/includes/meta-boxes.php: link_advanced_meta_box() |
Display advanced link options form fields. |
wp-admin/includes/meta-boxes.php: attachment_id3_data_meta_box() |
Display fields for ID3 data |
wp-admin/includes/meta-boxes.php: post_submit_meta_box() |
Displays post submit form fields. |
wp-admin/includes/meta-boxes.php: post_format_meta_box() |
Display post format form elements. |
wp-admin/includes/meta-boxes.php: post_tags_meta_box() |
Display post tags form fields. |
wp-admin/includes/meta-boxes.php: post_categories_meta_box() |
Display post categories form fields. |
wp-admin/includes/bookmark.php: get_default_link_to_edit() |
Retrieves the default link for editing. |
wp-admin/includes/class-wp-media-list-table.php: WP_Media_List_Table::get_views() | |
wp-admin/includes/class-wp-media-list-table.php: WP_Media_List_Table::_get_row_actions() | |
wp-admin/includes/class-wp-comments-list-table.php: WP_Comments_List_Table::extra_tablenav() | |
wp-admin/includes/class-wp-comments-list-table.php: WP_Comments_List_Table::column_comment() | |
wp-admin/includes/class-wp-terms-list-table.php: WP_Terms_List_Table::column_name() | |
wp-admin/includes/class-wp-terms-list-table.php: WP_Terms_List_Table::inline_edit() |
Outputs the hidden row displayed when inline editing |
wp-admin/includes/class-walker-nav-menu-edit.php: Walker_Nav_Menu_Edit::start_el() |
Start the element output. |
wp-admin/includes/class-walker-nav-menu-checklist.php: Walker_Nav_Menu_Checklist::start_el() |
Start the element output. |
wp-admin/includes/nav-menu.php: wp_nav_menu_item_post_type_meta_box() |
Displays a meta box for a post type menu item. |
wp-admin/includes/nav-menu.php: wp_nav_menu_item_taxonomy_meta_box() |
Displays a meta box for a taxonomy menu item. |
wp-admin/includes/file.php: request_filesystem_credentials() |
Displays a form to the user to request for their FTP/SSH details in order to connect to the filesystem. |
wp-admin/includes/class-wp-posts-list-table.php: WP_Posts_List_Table::inline_edit() |
Outputs the hidden row displayed when inline editing |
wp-admin/includes/widgets.php: wp_list_widget_controls() |
Show the widgets and their settings for a sidebar. |
wp-admin/includes/widgets.php: wp_widget_control() |
Meta widget used to display the control form for a widget. |
wp-admin/includes/options.php: options_reading_blog_charset() |
Render the site charset setting. |
wp-admin/custom-header.php: Custom_Image_Header::step_1() |
Display first step of custom header image page. |
wp-admin/custom-header.php: Custom_Image_Header::step_2() |
Display second step of custom header image page. |
wp-admin/custom-header.php: Custom_Image_Header::show_header_selector() |
Display UI for selecting one of several default headers. |
wp-admin/includes/ms.php: confirm_delete_users() | |
wp-admin/update-core.php: list_core_update() | |
wp-admin/update-core.php: list_plugin_updates() | |
wp-admin/update-core.php: list_theme_updates() | |
wp-admin/custom-background.php: Custom_Background::wp_set_background_image() | |
wp-admin/custom-background.php: Custom_Background::admin_page() |
Display the custom background page. |
wp-admin/menu-header.php: _wp_menu_output() |
Display menu. |
wp-includes/class.wp-styles.php: WP_Styles::print_inline_style() |
Prints extra CSS styles of a registered stylesheet. |
wp-includes/class.wp-styles.php: WP_Styles::do_item() |
Processes a style dependency. |
wp-includes/class-walker-category.php: Walker_Category::start_el() |
Starts the element output. |
wp-includes/class-walker-category-dropdown.php: Walker_CategoryDropdown::start_el() |
Starts the element output. |
wp-includes/category-template.php: wp_generate_tag_cloud() |
Generates a tag cloud (heatmap) from provided data. |
wp-includes/category-template.php: wp_dropdown_categories() |
Display or retrieve the HTML dropdown list of categories. |
wp-includes/category-template.php: wp_list_categories() |
Display or retrieve the HTML list of categories. |
wp-includes/l10n.php: esc_attr__() |
Retrieve the translation of $text and escapes it for safe use in an attribute. |
wp-includes/l10n.php: esc_attr_e() |
Display translated text that has been escaped for safe use in an attribute. |
wp-includes/l10n.php: esc_attr_x() |
Translate string with gettext context, and escapes it for safe use in an attribute. |
wp-includes/formatting.php: _links_add_target() |
Callback to add a target attribute to all links in passed content. |
wp-includes/formatting.php: wp_rel_nofollow_callback() |
Callback to add rel=nofollow string to HTML A element. |
wp-includes/formatting.php: translate_smiley() |
Convert one smiley code to the icon graphic file equivalent. |
wp-includes/pluggable.php: get_avatar() |
Retrieve the avatar |
wp-includes/general-template.php: the_search_query() |
Displays the contents of the search query variable. |
wp-includes/general-template.php: get_the_generator() |
Creates the generator XML or Comment for RSS, ATOM, etc. |
wp-includes/general-template.php: paginate_links() |
Retrieve paginated link for archive post pages. |
wp-includes/general-template.php: feed_links() |
Display the links to the general feeds. |
wp-includes/general-template.php: feed_links_extra() |
Display the links to the extra feeds such as category feeds. |
wp-includes/general-template.php: get_search_query() |
Retrieves the contents of the search WordPress query variable. |
wp-includes/general-template.php: get_archives_link() |
Retrieve archive link content based on predefined or custom code. |
wp-includes/general-template.php: get_calendar() |
Display calendar with days that have posts as links. |
wp-includes/general-template.php: wp_login_form() |
Provides a simple login form for use anywhere within WordPress. |
wp-includes/deprecated.php: get_boundary_post_rel_link() |
Get boundary post relational link. |
wp-includes/deprecated.php: get_index_rel_link() |
Get site index relational link. |
wp-includes/deprecated.php: get_parent_post_rel_link() |
Get parent post relational link. |
wp-includes/deprecated.php: get_the_attachment_link() |
Retrieve HTML content of attachment image with link. |
wp-includes/deprecated.php: get_attachment_icon() |
Retrieve HTML content of icon attachment image element. |
wp-includes/deprecated.php: get_attachment_innerHTML() |
Retrieve HTML content of image element. |
wp-includes/deprecated.php: attribute_escape() |
Escaping for HTML attributes. |
wp-includes/deprecated.php: get_links() |
Gets the links associated with category by id. |
wp-includes/functions.php: wp_timezone_choice() |
Gives a nicely-formatted list of timezone strings. |
wp-includes/functions.php: wp_nonce_field() |
Retrieve or display nonce hidden field for forms. |
wp-includes/functions.php: wp_referer_field() |
Retrieve or display referer hidden field for forms. |
wp-includes/functions.php: wp_original_referer_field() |
Retrieve or display original referer hidden field for forms. |
wp-includes/widgets/class-wp-nav-menu-widget.php: WP_Nav_Menu_Widget::form() |
Outputs the settings form for the Navigation Menu widget. |
wp-includes/widgets/class-wp-widget-recent-comments.php: WP_Widget_Recent_Comments::form() |
Outputs the settings form for the Recent Comments widget. |
wp-includes/widgets/class-wp-widget-tag-cloud.php: WP_Widget_Tag_Cloud::form() |
Outputs the Tag Cloud widget settings form. |
wp-includes/widgets/class-wp-widget-rss.php: WP_Widget_RSS::widget() |
Outputs the content for the current RSS widget instance. |
wp-includes/widgets/class-wp-widget-categories.php: WP_Widget_Categories::form() |
Outputs the settings form for the Categories widget. |
wp-includes/widgets/class-wp-widget-recent-posts.php: WP_Widget_Recent_Posts::form() |
Outputs the settings form for the Recent Posts widget. |
wp-includes/widgets/class-wp-widget-text.php: WP_Widget_Text::form() |
Outputs the Text widget settings form. |
wp-includes/widgets/class-wp-widget-calendar.php: WP_Widget_Calendar::form() |
Outputs the settings form for the Calendar widget. |
wp-includes/widgets/class-wp-widget-categories.php: WP_Widget_Categories::widget() |
Outputs the content for the current Categories widget instance. |
wp-includes/widgets/class-wp-widget-archives.php: WP_Widget_Archives::widget() |
Outputs the content for the current Archives widget instance. |
wp-includes/widgets/class-wp-widget-archives.php: WP_Widget_Archives::form() |
Outputs the settings form for the Archives widget. |
wp-includes/widgets/class-wp-widget-search.php: WP_Widget_Search::form() |
Outputs the settings form for the Search widget. |
wp-includes/widgets/class-wp-widget-meta.php: WP_Widget_Meta::form() |
Outputs the settings form for the Meta widget. |
wp-includes/widgets/class-wp-widget-pages.php: WP_Widget_Pages::form() |
Outputs the settings form for the Pages widget. |
wp-includes/widgets.php: wp_widget_rss_output() |
Display the RSS entries in a list. |
wp-includes/widgets.php: wp_widget_rss_form() |
Display RSS widget options form. |
wp-includes/taxonomy.php: get_the_taxonomies() |
Retrieve all taxonomies associated with a post. |
wp-includes/taxonomy.php: sanitize_term_field() |
Cleanse the field value in the term based on the context. |
wp-includes/link-template.php: get_adjacent_post_rel_link() |
Retrieves the adjacent post relational link. |
wp-includes/link-template.php: edit_post_link() |
Displays the edit post link for post. |
wp-includes/class-wp-admin-bar.php: WP_Admin_Bar::_render_container() | |
wp-includes/class-wp-admin-bar.php: WP_Admin_Bar::_render_group() | |
wp-includes/class-wp-admin-bar.php: WP_Admin_Bar::_render_item() | |
wp-includes/class-wp-admin-bar.php: WP_Admin_Bar::add_node() |
Adds a node to the menu. |
wp-includes/update.php: wp_get_update_data() |
Collect counts and UI strings for available updates |
wp-includes/class-oembed.php: WP_oEmbed::data2html() |
Converts a data object from WP_oEmbed::fetch() and returns the HTML. |
wp-includes/admin-bar.php: wp_admin_bar_shortlink_menu() |
Provide a shortlink. |
wp-includes/feed.php: get_the_category_rss() |
Retrieve all of the post categories, formatted for use in feeds. |
wp-includes/feed.php: rss_enclosure() |
Display the rss enclosure for the current post. |
wp-includes/feed.php: atom_enclosure() |
Display the atom enclosure for the current post. |
wp-includes/option.php: form_option() |
Print option value after sanitizing for forms. |
wp-includes/user.php: wp_dropdown_users() |
Create dropdown HTML content of users. |
wp-includes/user.php: sanitize_user_field() |
Sanitize user field based on context. |
wp-includes/bookmark-template.php: _walk_bookmarks() |
The formatted output of a list of bookmarks. |
wp-includes/template.php: load_template() |
Require the template file with WordPress environment. |
wp-includes/class-walker-nav-menu.php: Walker_Nav_Menu::start_el() |
Starts the element output. |
wp-includes/class-walker-page-dropdown.php: Walker_PageDropdown::start_el() |
Starts the element output. |
wp-includes/class-walker-nav-menu.php: Walker_Nav_Menu::start_lvl() |
Starts the list before the elements are added. |
wp-includes/nav-menu-template.php: wp_nav_menu() |
Displays a navigation menu. |
wp-includes/class-walker-page.php: Walker_Page::start_el() |
Outputs the beginning of the current element in the tree. |
wp-includes/post-template.php: wp_link_pages() |
The formatted output of a list of pages. |
wp-includes/post-template.php: wp_dropdown_pages() |
Retrieve or display a list of pages as a dropdown (select list). |
wp-includes/post-template.php: wp_page_menu() |
Displays or retrieves a list of pages with an optional home link. |
wp-includes/post-template.php: the_title_attribute() |
Sanitize the current title when retrieving or displaying. |
wp-includes/media.php: wp_video_shortcode() |
Builds the Video shortcode output. |
wp-includes/media.php: wp_playlist_shortcode() |
Builds the Playlist shortcode output. |
wp-includes/media.php: wp_audio_shortcode() |
Builds the Audio shortcode output. |
wp-includes/media.php: get_image_tag() |
Gets an img tag for an image attachment, scaling it down if requested. |
wp-includes/media.php: img_caption_shortcode() |
Builds the Caption shortcode output. |
wp-includes/post.php: sanitize_post_field() |
Sanitize post field based on context. |
wp-includes/class-wp-rewrite.php: WP_Rewrite::iis7_url_rewrite_rules() |
Retrieves IIS7 URL Rewrite formatted rewrite rules to write to web.config file. |
wp-includes/bookmark.php: sanitize_bookmark_field() |
Sanitizes a bookmark field. |
wp-includes/author-template.php: get_the_author_link() |
Retrieve either author’s link or author’s name. |
wp-includes/author-template.php: wp_list_authors() |
List all the authors of the site, with several options available. |
wp-includes/rss.php: wp_rss() |
Display all RSS items in a HTML ordered list. |
wp-includes/customize/class-wp-widget-area-customize-control.php: WP_Widget_Area_Customize_Control::render_content() |
Renders the control’s content. |
wp-includes/class-wp-customize-control.php: WP_Customize_Control::render() |
Renders the control wrapper and calls $this->render_content() for the internals. |
wp-includes/class-wp-customize-control.php: WP_Customize_Control::get_link() |
Get the data link attribute for a setting. |
wp-includes/class-wp-customize-control.php: WP_Customize_Control::render_content() |
Render the control’s content. |
wp-includes/comment-template.php: comment_form() |
Outputs a complete commenting form for use within a template. |
wp-includes/comment-template.php: comments_popup_link() |
Displays the link to the comments for the current post ID. |
wp-includes/comment-template.php: get_comment_reply_link() |
Retrieve HTML content for reply to comment link. |
wp-includes/class-wp-customize-widgets.php: WP_Customize_Widgets::output_widget_control_templates() |
Renders the widget form control templates into the DOM. |
wp-includes/comment.php: sanitize_comment_cookies() |
Sanitizes the cookies sent to the user already. |
wp-includes/class-wp-editor.php: _WP_Editors::editor() |
Outputs the HTML for a single instance of the editor. |
wp-includes/media-template.php: wp_print_media_templates() |
Prints the templates used in the media manager. |
User Contributed Notes #User Contributed Notes
You must log in before being able to contribute a note or feedback.
When escaping the values of attributes that accept URIs (like
href
andsrc
), it is important to pass the value throughesc_url()
. If you only useesc_attr()
, the code may still be vulnerable to XSS. (Note also, that when usingesc_url()
, you don’t need to also useesc_attr()
.)More info:
Example of escaping
$_POST
data on outputIt is important to always use quotes around your attribute’s value when it is being escaped with
esc_attr()
. Otherwise, your code will still be vulnerable to XSS.I’m not sure if
esc_attr()
is what you should use if you’re echoing out the value for a form input that is allowed to contain HTML entities because they get lost. ie, you may start with a string containing HTML entities (eg&
), and find them disappearing (turning into&
).It’s easiest to explain with an example:
1. You have a value in the database that is
Want to do a "br" tag? Do this: <br>';
2. You output that value in a page inside a form input’s value with code like this
That will produce HTML like
3. When that is displayed by the browser, it will DECODE the HTML entities, showing the user
Want to do a "br" tag? Do this: <br>
.4. When that form is submitted back to the server, the browser will send the value the USER SAW, namely
Want to do a "br" tag? Do this: <br>
.
5. If your database code saves the user's input as it was received, it will save it as
Want to do a "br" tag? Do this: <br>
Notice we lost the HTML entities? We started with
Want to do a "br" tag? Do this: <br>';
but ended up withWant to do a "br" tag? Do this: <br>
. OUPS.In order to fix that,
esc_attr()
should have DOUBLE-encoded the HTML entities; ie produced HTML like this:
Notice the
<br>
tag has been double-encoded. That will mean the value
Want to do a "br" tag? Do this: <br>
will be displayed to the user, and thus get submitted, and saved down the road.
So what function should you use for inputs that are allowed to have HTML entities?
esc_textarea()
.
Here's a code snippet showing the difference:
Which produces the following HTML
Try it and you'll see the second is actually what you want, if you want to allow HTML entities in the value.
Note that esc_attr will attempt to avoid double-encoding. Take this code:
This will print
A & B
instead ofA &amp; B
.