Escaping for HTML attributes.
Parameters
$text
stringrequired
Return
stringMore Information
Encodes the <, >, &, ” and ‘ (less than, greater than, ampersand, double quote and single quote) characters. Will never double encode entities.
Always use when escaping HTML attributes (especially form values) such as alt, value, title, etc. To escape the value of a translation use esc_attr__() instead; to escape, translate and echo, use esc_attr_e().
Source
function esc_attr( $text ) {
$safe_text = wp_check_invalid_utf8( $text );
$safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
/**
* Filters a string cleaned and escaped for output in an HTML attribute.
*
* Text passed to esc_attr() is stripped of invalid or special characters
* before output.
*
* @since 2.0.6
*
* @param string $safe_text The text after it has been escaped.
* @param string $text The text prior to being escaped.
*/
return apply_filters( 'attribute_escape', $safe_text, $text );
}
Hooks
- apply_filters( ‘attribute_escape’,
string $safe_text ,string $text ) Filters a string cleaned and escaped for output in an HTML attribute.
Related
Uses | Description |
---|---|
wp_check_invalid_utf8()wp-includes/formatting.php | Checks for invalid UTF8 in a string. |
_wp_specialchars()wp-includes/formatting.php | Converts a number of special characters into their HTML entities. |
apply_filters()wp-includes/plugin.php | Calls the callback functions that have been added to a filter hook. |
Used by | Description |
---|---|
WP_Script_Modules::print_script_module_preloads()wp-includes/class-wp-script-modules.php | Prints the the static dependencies of the enqueued script modules using link tags with rel=”modulepreload” attributes. |
WP_Plugin_Install_List_Table::get_more_details_link()wp-admin/includes/class-wp-plugin-install-list-table.php | Creates a ‘More details’ link for the plugin. |
wp_get_plugin_action_button()wp-admin/includes/plugin-install.php | Gets the markup for the plugin install action button. |
WP_Plugins_List_Table::get_view_details_link()wp-admin/includes/class-wp-plugins-list-table.php | Returns a ‘View details’ link for the plugin. |
wp_get_admin_notice()wp-includes/functions.php | Creates and returns the markup for an admin notice. |
Walker_Nav_Menu::build_atts()wp-includes/class-walker-nav-menu.php | Builds a string of HTML attributes from an array of key/value pairs. |
WP_Duotone::get_filter_svg()wp-includes/class-wp-duotone.php | Gets the SVG for the duotone filter definition. |
_make_clickable_rel_attr()wp-includes/formatting.php | Helper function used to build the “rel” attribute for a URL when creating an anchor using make_clickable() . |
wp_img_tag_add_decoding_attr()wp-includes/deprecated.php | Adds |
wp_preload_resources()wp-includes/general-template.php | Prints resource preloads directives to browsers. |
wp_list_users()wp-includes/user.php | Lists all the users of the site, with several options available. |
wp_robots()wp-includes/robots-template.php | Displays the robots meta tag as necessary. |
wp_sanitize_script_attributes()wp-includes/script-loader.php | Sanitizes an attributes array into an attributes string to be placed inside a |
get_block_wrapper_attributes()wp-includes/class-wp-block-supports.php | Generates a string of attributes by applying to the current block being rendered all of the features that the block supports. |
WP_Application_Passwords_List_Table::column_revoke()wp-admin/includes/class-wp-application-passwords-list-table.php | Handles the revoke column output. |
WP_Application_Passwords_List_Table::display_tablenav()wp-admin/includes/class-wp-application-passwords-list-table.php | Generates custom table navigation to prevent conflicting nonces. |
WP_Application_Passwords_List_Table::single_row()wp-admin/includes/class-wp-application-passwords-list-table.php | Generates content for a single row of the table. |
WP_Application_Passwords_List_Table::print_js_template_row()wp-admin/includes/class-wp-application-passwords-list-table.php | Prints the JavaScript template for the new row item. |
WP_Comments_List_Table::comment_type_dropdown()wp-admin/includes/class-wp-comments-list-table.php | Displays a comment type drop-down for filtering on the Comments list table. |
wp_img_tag_add_loading_attr()wp-includes/deprecated.php | Adds |
wp_admin_viewport_meta()wp-admin/includes/misc.php | Displays the viewport meta in the admin. |
wp_rel_callback()wp-includes/formatting.php | Callback to add a rel attribute to HTML A element. |
wp_credits_section_list()wp-admin/includes/credits.php | Displays a list of contributors for a given group. |
WP_Privacy_Data_Removal_Requests_List_Table::column_email()wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php | Outputs the Actions column. |
WP_Privacy_Data_Removal_Requests_List_Table::column_next_steps()wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php | Outputs the Next steps column. |
WP_Privacy_Data_Export_Requests_List_Table::column_email()wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php | Actions column. |
WP_Privacy_Data_Export_Requests_List_Table::column_next_steps()wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php | Displays the next steps column. |
wp_filter_oembed_iframe_title_attribute()wp-includes/embed.php | Filters the given oEmbed HTML to make sure iframes have a title attribute. |
WP_Site_Health::get_test_background_updates()wp-admin/includes/class-wp-site-health.php | Tests if WordPress can run automated background updates. |
WP_Posts_List_Table::formats_dropdown()wp-admin/includes/class-wp-posts-list-table.php | Displays a formats drop-down for filtering items. |
wp_targeted_link_rel_callback()wp-includes/formatting.php | Callback to add |
the_block_editor_meta_boxes()wp-admin/includes/post.php | Renders the meta boxes forms. |
the_block_editor_meta_box_post_form_hidden_fields()wp-admin/includes/post.php | Renders the hidden form required for the meta boxes form. |
wp_privacy_generate_personal_data_export_group_html()wp-admin/includes/privacy-tools.php | Generate a single group for the personal data export report. |
wp_privacy_generate_personal_data_export_file()wp-admin/includes/privacy-tools.php | Generate the personal data export file. |
WP_Privacy_Requests_Table::column_status()wp-admin/includes/class-wp-privacy-requests-table.php | Status column. |
WP_Privacy_Requests_Table::single_row()wp-admin/includes/class-wp-privacy-requests-table.php | Generates content for a single row of the table, |
WP_Privacy_Requests_Table::column_cb()wp-admin/includes/class-wp-privacy-requests-table.php | Returns the markup for the Checkbox column. |
WP_Widget_Text::is_legacy_instance()wp-includes/widgets/class-wp-widget-text.php | Determines whether a given instance is legacy and should bypass using TinyMCE. |
WP_Widget_Media_Gallery::render_control_template_scripts()wp-includes/widgets/class-wp-widget-media-gallery.php | Render form template scripts. |
WP_Widget_Custom_HTML::form()wp-includes/widgets/class-wp-widget-custom-html.php | Outputs the Custom HTML widget settings form. |
WP_Customize_Nav_Menu_Locations_Control::content_template()wp-includes/customize/class-wp-customize-nav-menu-locations-control.php | JS/Underscore template for the control UI. |
WP_Customize_Themes_Section::filter_drawer_content_template()wp-includes/customize/class-wp-customize-themes-section.php | Renders the filter drawer portion of a themes section as a JS template. |
wp_load_press_this()wp-admin/press-this.php | |
wp_print_plugin_file_tree()wp-admin/includes/misc.php | Outputs the formatted file list for the plugin file editor. |
wp_print_theme_file_tree()wp-admin/includes/misc.php | Outputs the formatted file list for the theme file editor. |
WP_Widget_Media::form()wp-includes/widgets/class-wp-widget-media.php | Outputs the settings update form. |
WP_Widget_Media::render_control_template_scripts()wp-includes/widgets/class-wp-widget-media.php | Render form template scripts. |
WP_Widget_Media_Image::render_media()wp-includes/widgets/class-wp-widget-media-image.php | Render the media on the frontend. |
WP_Widget_Media_Image::render_control_template_scripts()wp-includes/widgets/class-wp-widget-media-image.php | Render form template scripts. |
WP_Customize_Nav_Menus::print_post_type_container()wp-includes/class-wp-customize-nav-menus.php | Prints the markup for new menu items. |
WP_Customize_Background_Position_Control::content_template()wp-includes/customize/class-wp-customize-background-position-control.php | Render a JS template for the content of the position control. |
wp_resource_hints()wp-includes/general-template.php | Prints resource hints to browsers for pre-fetching, pre-rendering and pre-connecting to websites. |
network_edit_site_nav()wp-admin/includes/ms.php | Outputs the HTML for a network’s “Edit Site” tabular interface. |
WP_Plugins_List_Table::search_box()wp-admin/includes/class-wp-plugins-list-table.php | Displays the search box. |
WP_Customize_Widgets::filter_dynamic_sidebar_params()wp-includes/class-wp-customize-widgets.php | Inject selective refresh data attributes into widget container elements. |
get_post_embed_html()wp-includes/embed.php | Retrieves the embed code for a specific post. |
get_the_author_posts_link()wp-includes/author-template.php | Retrieves an HTML link to the author page of the current post’s author. |
WP_Posts_List_Table::get_edit_link()wp-admin/includes/class-wp-posts-list-table.php | Creates a link to edit.php with params. |
WP_Customize_Nav_Menu_Location_Control::render_content()wp-includes/customize/class-wp-customize-nav-menu-location-control.php | Render content just like a normal select control. |
WP_Customize_Panel::print_template()wp-includes/class-wp-customize-panel.php | Render the panel’s JS templates. |
get_language_attributes()wp-includes/general-template.php | Gets the language attributes for the ‘html’ tag. |
WP_Customize_Nav_Menus::filter_wp_nav_menu()wp-includes/class-wp-customize-nav-menus.php | Prepares wp_nav_menu() calls for partial refresh. |
WP_Customize_New_Menu_Section::render()wp-includes/customize/class-wp-customize-new-menu-section.php | Render the section, and the controls that have been added to it. |
WP_Posts_List_Table::handle_row_actions()wp-admin/includes/class-wp-posts-list-table.php | Generates and displays row action links. |
WP_Posts_List_Table::column_title()wp-admin/includes/class-wp-posts-list-table.php | Handles the title column output. |
WP_Links_List_Table::column_cb()wp-admin/includes/class-wp-links-list-table.php | Handles the checkbox column output. |
WP_Links_List_Table::column_name()wp-admin/includes/class-wp-links-list-table.php | Handles the link name column output. |
WP_MS_Themes_List_Table::column_name()wp-admin/includes/class-wp-ms-themes-list-table.php | Handles the name column output. |
WP_MS_Themes_List_Table::column_description()wp-admin/includes/class-wp-ms-themes-list-table.php | Handles the description column output. |
WP_MS_Themes_List_Table::column_cb()wp-admin/includes/class-wp-ms-themes-list-table.php | Handles the checkbox column output. |
WP_MS_Sites_List_Table::column_cb()wp-admin/includes/class-wp-ms-sites-list-table.php | Handles the checkbox column output. |
WP_Terms_List_Table::handle_row_actions()wp-admin/includes/class-wp-terms-list-table.php | Generates and displays row action links. |
WP_MS_Users_List_Table::column_blogs()wp-admin/includes/class-wp-ms-users-list-table.php | Handles the sites column output. |
WP_MS_Users_List_Table::column_cb()wp-admin/includes/class-wp-ms-users-list-table.php | Handles the checkbox column output. |
WP_Media_List_Table::column_parent()wp-admin/includes/class-wp-media-list-table.php | Handles the parent column output. |
WP_Media_List_Table::column_title()wp-admin/includes/class-wp-media-list-table.php | Handles the title column output. |
wp_kses_one_attr()wp-includes/kses.php | Filters one HTML attribute and ensures its value is allowed. |
WP_Customize_Theme_Control::content_template()wp-includes/customize/class-wp-customize-theme-control.php | Render a JS template for theme display. |
customize_themes_print_templates()wp-admin/includes/theme.php | Prints JS templates for the theme-browsing UI in the Customizer. |
WP_Customize_Control::print_template()wp-includes/class-wp-customize-control.php | Render the control’s JS template. |
_navigation_markup()wp-includes/link-template.php | Wraps passed links in navigational markup. |
WP_Customize_Control::input_attrs()wp-includes/class-wp-customize-control.php | Render the custom attributes for the control’s input element. |
wp_install_language_form()wp-admin/includes/translation-install.php | Output the select form for the language selection on the installation screen. |
login_footer()wp-login.php | Outputs the footer for the login page. |
login_header()wp-login.php | Outputs the login page header. |
show_user_form()wp-signup.php | Displays the fields for the new user account registration form. |
signup_blog()wp-signup.php | Shows a form for a user or visitor to sign up for a new site. |
show_blog_form()wp-signup.php | Generates and displays the Sign-up and Create Site forms. |
network_step1()wp-admin/includes/network.php | Prints step 1 for Network installation process. |
display_setup_form()wp-admin/install.php | Displays installer setup form. |
export_date_options()wp-admin/export.php | Creates the date options fields for exporting a given post type. |
WP_Screen::render_screen_layout()wp-admin/includes/class-wp-screen.php | Renders the option for number of columns on the page. |
WP_Screen::render_per_page_options()wp-admin/includes/class-wp-screen.php | Renders the items per page option. |
get_theme_update_available()wp-admin/includes/theme.php | Retrieves the update link if there is a theme update available. |
WP_Screen::render_screen_meta()wp-admin/includes/class-wp-screen.php | Renders the screen’s help section. |
WP_Plugins_List_Table::single_row()wp-admin/includes/class-wp-plugins-list-table.php | |
meta_box_prefs()wp-admin/includes/screen.php | Prints the meta box preferences for screen meta. |
WP_Links_List_Table::display_rows()wp-admin/includes/class-wp-links-list-table.php | Generates the list table rows. |
install_theme_search_form()wp-admin/includes/theme-install.php | Displays search form for searching themes. |
install_themes_dashboard()wp-admin/includes/theme-install.php | Displays tags filter for themes. |
Bulk_Upgrader_Skin::before()wp-admin/includes/class-bulk-upgrader-skin.php | Performs an action before a bulk update. |
Bulk_Upgrader_Skin::after()wp-admin/includes/class-bulk-upgrader-skin.php | Performs an action following a bulk update. |
WP_List_Table::single_row_columns()wp-admin/includes/class-wp-list-table.php | Generates the columns for a single row of the table. |
WP_List_Table::view_switcher()wp-admin/includes/class-wp-list-table.php | Displays a view switcher. |
WP_List_Table::print_column_headers()wp-admin/includes/class-wp-list-table.php | Prints column headers, accounting for hidden and sortable columns. |
WP_List_Table::get_table_classes()wp-admin/includes/class-wp-list-table.php | Gets a list of CSS classes for the WP_List_Table table tag. |
WP_List_Table::display_tablenav()wp-admin/includes/class-wp-list-table.php | Generates the table navigation above or below the table |
WP_List_Table::search_box()wp-admin/includes/class-wp-list-table.php | Displays the search box. |
WP_List_Table::bulk_actions()wp-admin/includes/class-wp-list-table.php | Displays the bulk actions dropdown. |
WP_List_Table::months_dropdown()wp-admin/includes/class-wp-list-table.php | Displays a dropdown for filtering items in the list table by month. |
mu_dropdown_languages()wp-admin/includes/ms.php | Generates and displays a drop-down of available languages. |
upload_space_setting()wp-admin/includes/ms.php | Displays the site upload space quota setting form on the Edit Site Settings screen. |
WP_MS_Themes_List_Table::single_row()wp-admin/includes/class-wp-ms-themes-list-table.php | |
admin_color_scheme_picker()wp-admin/includes/misc.php | Displays the default admin color scheme picker (Used in user-edit.php). |
WP_Theme_Install_List_Table::install_theme_info()wp-admin/includes/class-wp-theme-install-list-table.php | Prints the info for a theme (to be used in the theme installer modal). |
get_terms_to_edit()wp-admin/includes/taxonomy.php | Gets comma-separated list of terms available to edit for the given post ID. |
WP_Theme_Install_List_Table::single_row()wp-admin/includes/class-wp-theme-install-list-table.php | Prints a theme from the WordPress.org API. |
wp_plugin_update_row()wp-admin/includes/update.php | Displays update information for a plugin. |
wp_theme_update_row()wp-admin/includes/update.php | Displays update information for a theme. |
install_search_form()wp-admin/includes/plugin-install.php | Displays a search form for searching plugins. |
install_plugins_favorites_form()wp-admin/includes/plugin-install.php | Shows a username form for the favorites page. |
install_plugin_information()wp-admin/includes/plugin-install.php | Displays plugin information in dialog box form. |
wp_dashboard_plugins_output()wp-admin/includes/deprecated.php | Display plugins text for the WordPress news widget. |
wp_dashboard_recent_posts()wp-admin/includes/dashboard.php | Generates Publishing Soon and Recently Published sections. |
wp_dashboard_browser_nag()wp-admin/includes/dashboard.php | Displays the browser update nag. |
_wp_dashboard_control_callback()wp-admin/includes/dashboard.php | Outputs controls for the current dashboard widget. |
wp_dashboard_recent_drafts()wp-admin/includes/dashboard.php | Show recent drafts of the user on the dashboard. |
settings_fields()wp-admin/includes/plugin.php | Outputs nonce, action, and option_page fields for a settings page. |
WP_Plugin_Install_List_Table::display_rows()wp-admin/includes/class-wp-plugin-install-list-table.php | Generates the list table rows. |
Walker_Category_Checklist::start_el()wp-admin/includes/class-walker-category-checklist.php | Start the element output. |
get_submit_button()wp-admin/includes/template.php | Returns a submit button, with provided text and appropriate class. |
do_settings_sections()wp-admin/includes/template.php | Prints out all settings sections added to a particular settings page. |
do_settings_fields()wp-admin/includes/template.php | Prints out the settings fields for a particular settings section. |
settings_errors()wp-admin/includes/template.php | Displays settings errors registered by add_settings_error() . |
find_posts_div()wp-admin/includes/template.php | Outputs the modal window used for attaching media to posts or pages in the media-listing screen. |
the_post_password()wp-admin/includes/template.php | Displays the post password. |
_admin_search_query()wp-admin/includes/template.php | Displays the search query. |
iframe_header()wp-admin/includes/template.php | Generic Iframe header for use with Thickbox. |
wp_comment_reply()wp-admin/includes/template.php | Outputs the in-line comment reply-to form in the Comments list table. |
_list_meta_row()wp-admin/includes/template.php | Outputs a single row of public meta data in the Custom Fields meta box. |
meta_form()wp-admin/includes/template.php | Prints the form in the Custom Fields meta box. |
page_template_dropdown()wp-admin/includes/template.php | Prints out option HTML elements for the page templates drop-down. |
wp_dropdown_roles()wp-admin/includes/template.php | Prints out option HTML elements for role selectors. |
do_meta_boxes()wp-admin/includes/template.php | Meta-Box template function. |
do_accordion_sections()wp-admin/includes/template.php | Meta Box Accordion Template Function. |
WP_Themes_List_Table::display_rows()wp-admin/includes/class-wp-themes-list-table.php | Generates the list table rows. |
WP_Themes_List_Table::_js_vars()wp-admin/includes/class-wp-themes-list-table.php | Send required variables to JavaScript land |
WP_Users_List_Table::single_row()wp-admin/includes/class-wp-users-list-table.php | Generates HTML for a single row on the users.php admin panel. |
media_upload_gallery_form()wp-admin/includes/media.php | Adds gallery form to upload iframe. |
media_upload_library_form()wp-admin/includes/media.php | Outputs the legacy media upload form for the media library. |
edit_form_image_editor()wp-admin/includes/media.php | Displays the image and editor in the post editor |
attachment_submitbox_metadata()wp-admin/includes/media.php | Displays non-editable attachment metadata in the publish meta box. |
get_attachment_fields_to_edit()wp-admin/includes/media.php | Retrieves the attachment fields to edit form fields. |
get_media_item()wp-admin/includes/media.php | Retrieves HTML form for modifying the image attachment. |
get_compat_media_markup()wp-admin/includes/media.php | |
media_upload_form_handler()wp-admin/includes/media.php | Handles form submissions for the legacy media uploader. |
wp_media_upload_handler()wp-admin/includes/media.php | Handles the process of uploading media. |
media_sideload_image()wp-admin/includes/media.php | Downloads an image from the specified URL, saves it as an attachment, and optionally attaches it to a post. |
image_align_input_fields()wp-admin/includes/media.php | Retrieves HTML for the image alignment radio buttons with the specified one checked. |
image_link_input_fields()wp-admin/includes/media.php | Retrieves HTML for the Link URL buttons with the default link type as specified. |
the_media_upload_tabs()wp-admin/includes/media.php | Outputs the legacy media upload tabs UI. |
get_image_send_to_editor()wp-admin/includes/media.php | Retrieves the image HTML to send to the editor. |
media_buttons()wp-admin/includes/media.php | Adds the media button to the editor. |
_wp_post_thumbnail_html()wp-admin/includes/post.php | Returns HTML for the post thumbnail meta box. |
wp_ajax_find_posts()wp-admin/includes/ajax-actions.php | Handles querying posts for the Find Posts modal via AJAX. |
wp_ajax_add_link_category()wp-admin/includes/ajax-actions.php | Handles adding a link category via AJAX. |
post_trackback_meta_box()wp-admin/includes/meta-boxes.php | Displays trackback links form fields. |
post_slug_meta_box()wp-admin/includes/meta-boxes.php | Displays slug form fields. |
page_attributes_meta_box()wp-admin/includes/meta-boxes.php | Displays page attributes form fields. |
link_xfn_meta_box()wp-admin/includes/meta-boxes.php | Displays XFN form fields. |
link_advanced_meta_box()wp-admin/includes/meta-boxes.php | Displays advanced link options form fields. |
attachment_id3_data_meta_box()wp-admin/includes/meta-boxes.php | Displays fields for ID3 data. |
post_submit_meta_box()wp-admin/includes/meta-boxes.php | Displays post submit form fields. |
post_format_meta_box()wp-admin/includes/meta-boxes.php | Displays post format form elements. |
post_tags_meta_box()wp-admin/includes/meta-boxes.php | Displays post tags form fields. |
post_categories_meta_box()wp-admin/includes/meta-boxes.php | Displays post categories form fields. |
get_default_link_to_edit()wp-admin/includes/bookmark.php | Retrieves the default link for editing. |
WP_Media_List_Table::get_views()wp-admin/includes/class-wp-media-list-table.php | |
WP_Media_List_Table::_get_row_actions()wp-admin/includes/class-wp-media-list-table.php | |
WP_Terms_List_Table::column_name()wp-admin/includes/class-wp-terms-list-table.php | |
WP_Terms_List_Table::inline_edit()wp-admin/includes/class-wp-terms-list-table.php | Outputs the hidden row displayed when inline editing |
Walker_Nav_Menu_Checklist::start_el()wp-admin/includes/class-walker-nav-menu-checklist.php | Start the element output. |
Walker_Nav_Menu_Edit::start_el()wp-admin/includes/class-walker-nav-menu-edit.php | Start the element output. |
wp_nav_menu_item_post_type_meta_box()wp-admin/includes/nav-menu.php | Displays a meta box for a post type menu item. |
wp_nav_menu_item_taxonomy_meta_box()wp-admin/includes/nav-menu.php | Displays a meta box for a taxonomy menu item. |
request_filesystem_credentials()wp-admin/includes/file.php | Displays a form to the user to request for their FTP/SSH details in order to connect to the filesystem. |
WP_Posts_List_Table::inline_edit()wp-admin/includes/class-wp-posts-list-table.php | Outputs the hidden row displayed when inline editing |
wp_list_widget_controls()wp-admin/includes/widgets.php | Show the widgets and their settings for a sidebar. |
wp_widget_control()wp-admin/includes/widgets.php | Meta widget used to display the control form for a widget. |
WP_Posts_List_Table::get_table_classes()wp-admin/includes/class-wp-posts-list-table.php | |
options_reading_blog_charset()wp-admin/includes/options.php | Render the site charset setting. |
Custom_Image_Header::step_1()wp-admin/includes/class-custom-image-header.php | Displays first step of custom header image page. |
Custom_Image_Header::step_2()wp-admin/includes/class-custom-image-header.php | Displays second step of custom header image page. |
Custom_Image_Header::show_header_selector()wp-admin/includes/class-custom-image-header.php | Displays UI for selecting one of several default headers. |
confirm_delete_users()wp-admin/includes/ms.php | |
list_core_update()wp-admin/update-core.php | Lists available core updates. |
list_plugin_updates()wp-admin/update-core.php | Display the upgrade plugins form. |
list_theme_updates()wp-admin/update-core.php | Display the upgrade themes form. |
Custom_Background::wp_set_background_image()wp-admin/includes/class-custom-background.php | |
Custom_Background::admin_page()wp-admin/includes/class-custom-background.php | Displays the custom background page. |
_wp_menu_output()wp-admin/menu-header.php | Display menu. |
WP_Styles::print_inline_style()wp-includes/class-wp-styles.php | Prints extra CSS styles of a registered stylesheet. |
WP_Styles::do_item()wp-includes/class-wp-styles.php | Processes a style dependency. |
Walker_CategoryDropdown::start_el()wp-includes/class-walker-category-dropdown.php | Starts the element output. |
Walker_Category::start_el()wp-includes/class-walker-category.php | Starts the element output. |
wp_generate_tag_cloud()wp-includes/category-template.php | Generates a tag cloud (heatmap) from provided data. |
wp_dropdown_categories()wp-includes/category-template.php | Displays or retrieves the HTML dropdown list of categories. |
wp_list_categories()wp-includes/category-template.php | Displays or retrieves the HTML list of categories. |
_links_add_target()wp-includes/formatting.php | Callback to add a target attribute to all links in passed content. |
translate_smiley()wp-includes/formatting.php | Converts one smiley code to the icon graphic file equivalent. |
get_avatar()wp-includes/pluggable.php | Retrieves the avatar |
the_search_query()wp-includes/general-template.php | Displays the contents of the search query variable. |
paginate_links()wp-includes/general-template.php | Retrieves paginated links for archive post pages. |
get_the_generator()wp-includes/general-template.php | Creates the generator XML or Comment for RSS, ATOM, etc. |
feed_links()wp-includes/general-template.php | Displays the links to the general feeds. |
feed_links_extra()wp-includes/general-template.php | Displays the links to the extra feeds such as category feeds. |
get_search_query()wp-includes/general-template.php | Retrieves the contents of the search WordPress query variable. |
get_archives_link()wp-includes/general-template.php | Retrieves archive link content based on predefined or custom code. |
get_calendar()wp-includes/general-template.php | Displays calendar with days that have posts as links. |
wp_login_form()wp-includes/general-template.php | Provides a simple login form for use anywhere within WordPress. |
get_search_form()wp-includes/general-template.php | Displays search form. |
get_boundary_post_rel_link()wp-includes/deprecated.php | Get boundary post relational link. |
get_index_rel_link()wp-includes/deprecated.php | Get site index relational link. |
get_parent_post_rel_link()wp-includes/deprecated.php | Get parent post relational link. |
get_the_attachment_link()wp-includes/deprecated.php | Retrieve HTML content of attachment image with link. |
get_attachment_icon()wp-includes/deprecated.php | Retrieve HTML content of icon attachment image element. |
get_attachment_innerHTML()wp-includes/deprecated.php | Retrieve HTML content of image element. |
attribute_escape()wp-includes/deprecated.php | Escaping for HTML attributes. |
get_links()wp-includes/deprecated.php | Gets the links associated with category by ID. |
wp_timezone_choice()wp-includes/functions.php | Gives a nicely-formatted list of timezone strings. |
wp_nonce_field()wp-includes/functions.php | Retrieves or display nonce hidden field for forms. |
wp_original_referer_field()wp-includes/functions.php | Retrieves or displays original referer hidden field for forms. |
WP_Nav_Menu_Widget::form()wp-includes/widgets/class-wp-nav-menu-widget.php | Outputs the settings form for the Navigation Menu widget. |
WP_Widget_RSS::widget()wp-includes/widgets/class-wp-widget-rss.php | Outputs the content for the current RSS widget instance. |
WP_Widget_Recent_Comments::form()wp-includes/widgets/class-wp-widget-recent-comments.php | Outputs the settings form for the Recent Comments widget. |
WP_Widget_Tag_Cloud::widget()wp-includes/widgets/class-wp-widget-tag-cloud.php | Outputs the content for the current Tag Cloud widget instance. |
WP_Widget_Tag_Cloud::form()wp-includes/widgets/class-wp-widget-tag-cloud.php | Outputs the Tag Cloud widget settings form. |
WP_Widget_Recent_Comments::widget()wp-includes/widgets/class-wp-widget-recent-comments.php | Outputs the content for the current Recent Comments widget instance. |
WP_Widget_Recent_Posts::widget()wp-includes/widgets/class-wp-widget-recent-posts.php | Outputs the content for the current Recent Posts widget instance. |
WP_Widget_Recent_Posts::form()wp-includes/widgets/class-wp-widget-recent-posts.php | Outputs the settings form for the Recent Posts widget. |
WP_Widget_Categories::form()wp-includes/widgets/class-wp-widget-categories.php | Outputs the settings form for the Categories widget. |
WP_Widget_Text::form()wp-includes/widgets/class-wp-widget-text.php | Outputs the Text widget settings form. |
WP_Widget_Calendar::form()wp-includes/widgets/class-wp-widget-calendar.php | Outputs the settings form for the Calendar widget. |
WP_Widget_Categories::widget()wp-includes/widgets/class-wp-widget-categories.php | Outputs the content for the current Categories widget instance. |
WP_Widget_Archives::widget()wp-includes/widgets/class-wp-widget-archives.php | Outputs the content for the current Archives widget instance. |
WP_Widget_Archives::form()wp-includes/widgets/class-wp-widget-archives.php | Outputs the settings form for the Archives widget. |
WP_Widget_Meta::widget()wp-includes/widgets/class-wp-widget-meta.php | Outputs the content for the current Meta widget instance. |
WP_Widget_Meta::form()wp-includes/widgets/class-wp-widget-meta.php | Outputs the settings form for the Meta widget. |
WP_Widget_Search::form()wp-includes/widgets/class-wp-widget-search.php | Outputs the settings form for the Search widget. |
WP_Widget_Pages::widget()wp-includes/widgets/class-wp-widget-pages.php | Outputs the content for the current Pages widget instance. |
WP_Widget_Pages::form()wp-includes/widgets/class-wp-widget-pages.php | Outputs the settings form for the Pages widget. |
wp_widget_rss_output()wp-includes/widgets.php | Display the RSS entries in a list. |
wp_widget_rss_form()wp-includes/widgets.php | Display RSS widget options form. |
get_the_taxonomies()wp-includes/taxonomy.php | Retrieves all taxonomies associated with a post. |
sanitize_term_field()wp-includes/taxonomy.php | Sanitizes the field value in the term based on the context. |
get_adjacent_post_rel_link()wp-includes/link-template.php | Retrieves the adjacent post relational link. |
edit_post_link()wp-includes/link-template.php | Displays the edit post link for post. |
WP_Admin_Bar::_render_container()wp-includes/class-wp-admin-bar.php | |
WP_Admin_Bar::_render_group()wp-includes/class-wp-admin-bar.php | |
WP_Admin_Bar::_render_item()wp-includes/class-wp-admin-bar.php | |
WP_Admin_Bar::add_node()wp-includes/class-wp-admin-bar.php | Adds a node to the menu. |
wp_get_update_data()wp-includes/update.php | Collects counts and UI strings for available updates. |
WP_oEmbed::data2html()wp-includes/class-wp-oembed.php | Converts a data object from WP_oEmbed::fetch() and returns the HTML. |
wp_admin_bar_shortlink_menu()wp-includes/admin-bar.php | Provides a shortlink. |
get_the_category_rss()wp-includes/feed.php | Retrieves all of the post categories, formatted for use in feeds. |
rss_enclosure()wp-includes/feed.php | Displays the rss enclosure for the current post. |
atom_enclosure()wp-includes/feed.php | Displays the atom enclosure for the current post. |
form_option()wp-includes/option.php | Prints option value after sanitizing for forms. |
wp_dropdown_users()wp-includes/user.php | Creates dropdown HTML content of users. |
sanitize_user_field()wp-includes/user.php | Sanitizes user field based on context. |
_walk_bookmarks()wp-includes/bookmark-template.php | The formatted output of a list of bookmarks. |
load_template()wp-includes/template.php | Requires the template file with WordPress environment. |
Walker_PageDropdown::start_el()wp-includes/class-walker-page-dropdown.php | Starts the element output. |
wp_nav_menu()wp-includes/nav-menu-template.php | Displays a navigation menu. |
Walker_Page::start_el()wp-includes/class-walker-page.php | Outputs the beginning of the current element in the tree. |
wp_get_attachment_link()wp-includes/post-template.php | Retrieves an attachment page link using an image or icon, if possible. |
wp_link_pages()wp-includes/post-template.php | The formatted output of a list of pages. |
wp_dropdown_pages()wp-includes/post-template.php | Retrieves or displays a list of pages as a dropdown (select list). |
wp_page_menu()wp-includes/post-template.php | Displays or retrieves a list of pages with an optional home link. |
post_class()wp-includes/post-template.php | Displays the classes for the post container element. |
body_class()wp-includes/post-template.php | Displays the class names for the body element. |
the_title_attribute()wp-includes/post-template.php | Sanitizes the current title when retrieving or displaying. |
sanitize_post_field()wp-includes/post.php | Sanitizes a post field based on context. |
WP_Rewrite::iis7_url_rewrite_rules()wp-includes/class-wp-rewrite.php | Retrieves IIS7 URL Rewrite formatted rewrite rules to write to web.config file. |
sanitize_bookmark_field()wp-includes/bookmark.php | Sanitizes a bookmark field. |
get_the_author_link()wp-includes/author-template.php | Retrieves either author’s link or author’s name. |
wp_list_authors()wp-includes/author-template.php | Lists all the authors of the site, with several options available. |
wp_rss()wp-includes/rss.php | Display all RSS items in a HTML ordered list. |
WP_Widget_Area_Customize_Control::render_content()wp-includes/customize/class-wp-widget-area-customize-control.php | Renders the control’s content. |
WP_Customize_Control::render()wp-includes/class-wp-customize-control.php | Renders the control wrapper and calls $this->render_content() for the internals. |
WP_Customize_Control::get_link()wp-includes/class-wp-customize-control.php | Get the data link attribute for a setting. |
WP_Customize_Control::render_content()wp-includes/class-wp-customize-control.php | Render the control’s content. |
comment_form()wp-includes/comment-template.php | Outputs a complete commenting form for use within a template. |
comments_popup_link()wp-includes/comment-template.php | Displays the link to the comments for the current post ID. |
get_comment_reply_link()wp-includes/comment-template.php | Retrieves HTML content for reply to comment link. |
get_comment_author_link()wp-includes/comment-template.php | Retrieves the HTML link to the URL of the author of the current comment. |
WP_Customize_Widgets::output_widget_control_templates()wp-includes/class-wp-customize-widgets.php | Renders the widget form control templates into the DOM. |
sanitize_comment_cookies()wp-includes/comment.php | Sanitizes the cookies sent to the user already. |
_WP_Editors::editor()wp-includes/class-wp-editor.php | Outputs the HTML for a single instance of the editor. |
wp_print_media_templates()wp-includes/media-template.php | Prints the templates used in the media manager. |
Changelog
Version | Description |
---|---|
2.8.0 | Introduced. |
When escaping the values of attributes that accept URIs (like
href
andsrc
), it is important to pass the value throughesc_url()
. If you only useesc_attr()
, the code may still be vulnerable to XSS. (Note also, that when usingesc_url()
, you don’t need to also useesc_attr()
.)More info:
Example of escaping
$_POST
data on outputI’m not sure if
esc_attr()
is what you should use if you’re echoing out the value for a form input that is allowed to contain HTML entities because they get lost. ie, you may start with a string containing HTML entities (eg&
), and find them disappearing (turning into&
).It’s easiest to explain with an example:
1. You have a value in the database that is
Want to do a "br" tag? Do this: <br>';
2. You output that value in a page inside a form input’s value with code like this
That will produce HTML like
3. When that is displayed by the browser, it will DECODE the HTML entities, showing the user
Want to do a "br" tag? Do this: <br>
.4. When that form is submitted back to the server, the browser will send the value the USER SAW, namely
Want to do a "br" tag? Do this: <br>
.
5. If your database code saves the user's input as it was received, it will save it as
Want to do a "br" tag? Do this: <br>
Notice we lost the HTML entities? We started with
Want to do a "br" tag? Do this: <br>';
but ended up withWant to do a "br" tag? Do this: <br>
. OUPS.In order to fix that,
esc_attr()
should have DOUBLE-encoded the HTML entities; ie produced HTML like this:
Notice the
<br>
tag has been double-encoded. That will mean the value
Want to do a "br" tag? Do this: <br>
will be displayed to the user, and thus get submitted, and saved down the road.
So what function should you use for inputs that are allowed to have HTML entities?
esc_textarea()
.
Here's a code snippet showing the difference:
Which produces the following HTML
Try it and you'll see the second is actually what you want, if you want to allow HTML entities in the value.
It is important to always use quotes around your attribute’s value when it is being escaped with
esc_attr()
. Otherwise, your code will still be vulnerable to XSS.Note that esc_attr will attempt to avoid double-encoding. Take this code:
This will print
A & B
instead ofA &amp; B
.