Opened 4 years ago

Closed 3 years ago

#10874 closed enhancement (wontfix)

Use esc_html() instead of htmlspecialchars() when appropriate

Reported by: scribu Owned by: ryan
Priority: low Milestone:
Component: Security Version: 2.9
Severity: minor Keywords: has-patch needs-testing
Cc:

Description

For all htmlspecialchars($string, ENT_QUOTES), we can safely use esc_html(), which is better.

Attachments (1)

esc_html.diff (2.1 KB) - added by scribu 4 years ago.

Download all attachments as: .zip

Change History (9)

scribu4 years ago

comment:1   scribu4 years ago

  • Keywords has-patch needs-testing added

comment:2   ryan4 years ago

Can we use esc_html() in wp-db.php? I'm not sure formatting.php is loaded for all situations.

comment:3   azaozz4 years ago

esc_html() is a display filter, main difference from htmlspecialchars() is that it doesn't double-encode some html entities and always encodes all quotes. However when loading text to edit double-encoding is usually needed.

comment:4   hakre4 years ago

There is no general rule that says esc_html() is better then htmlspecialchars. Using htmlspecialchars where appropriate is perfectly valid. It has less overhead for example and does a great job as well as it is properly tested.

comment:5   ryan4 years ago

  • Milestone changed from 2.9 to Future Release

comment:6   lloydbudd3 years ago

  • Component changed from General to Security
  • Owner set to ryan

comment:7   lloydbudd3 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

comment:8   scribu3 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.