Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#10874 closed enhancement (wontfix)

Use esc_html() instead of htmlspecialchars() when appropriate

Reported by: scribu Owned by: ryan
Milestone: Priority: low
Severity: minor Version: 2.9
Component: Security Keywords: has-patch needs-testing
Focuses: Cc:


For all htmlspecialchars($string, ENT_QUOTES), we can safely use esc_html(), which is better.

Attachments (1)

esc_html.diff (2.1 KB) - added by scribu 6 years ago.

Download all attachments as: .zip

Change History (9)

6 years ago

#1 @scribu
6 years ago

  • Keywords has-patch needs-testing added

#2 @ryan
6 years ago

Can we use esc_html() in wp-db.php? I'm not sure formatting.php is loaded for all situations.

#3 @azaozz
6 years ago

esc_html() is a display filter, main difference from htmlspecialchars() is that it doesn't double-encode some html entities and always encodes all quotes. However when loading text to edit double-encoding is usually needed.

#4 @hakre
6 years ago

There is no general rule that says esc_html() is better then htmlspecialchars. Using htmlspecialchars where appropriate is perfectly valid. It has less overhead for example and does a great job as well as it is properly tested.

#5 @ryan
6 years ago

  • Milestone changed from 2.9 to Future Release

#6 @lloydbudd
6 years ago

  • Component changed from General to Security
  • Owner set to ryan

#7 @lloydbudd
6 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

#8 @scribu
6 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.