Opened 16 years ago
Closed 15 years ago
#10874 closed enhancement (wontfix)
Use esc_html() instead of htmlspecialchars() when appropriate
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | Priority: | low | |
Severity: | minor | Version: | 2.9 |
Component: | Security | Keywords: | has-patch needs-testing |
Focuses: | Cc: |
Description
For all htmlspecialchars($string, ENT_QUOTES), we can safely use esc_html(), which is better.
Attachments (1)
Change History (9)
#3
@
16 years ago
esc_html() is a display filter, main difference from htmlspecialchars() is that it doesn't double-encode some html entities and always encodes all quotes. However when loading text to edit double-encoding is usually needed.
Note: See
TracTickets for help on using
tickets.
Can we use esc_html() in wp-db.php? I'm not sure formatting.php is loaded for all situations.