WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#10874 closed enhancement (wontfix)

Use esc_html() instead of htmlspecialchars() when appropriate

Reported by: scribu Owned by: ryan
Milestone: Priority: low
Severity: minor Version: 2.9
Component: Security Keywords: has-patch needs-testing
Focuses: Cc:

Description

For all htmlspecialchars($string, ENT_QUOTES), we can safely use esc_html(), which is better.

Attachments (1)

esc_html.diff (2.1 KB) - added by scribu 5 years ago.

Download all attachments as: .zip

Change History (9)

scribu5 years ago

comment:1 scribu5 years ago

  • Keywords has-patch needs-testing added

comment:2 ryan5 years ago

Can we use esc_html() in wp-db.php? I'm not sure formatting.php is loaded for all situations.

comment:3 azaozz5 years ago

esc_html() is a display filter, main difference from htmlspecialchars() is that it doesn't double-encode some html entities and always encodes all quotes. However when loading text to edit double-encoding is usually needed.

comment:4 hakre5 years ago

There is no general rule that says esc_html() is better then htmlspecialchars. Using htmlspecialchars where appropriate is perfectly valid. It has less overhead for example and does a great job as well as it is properly tested.

comment:5 ryan5 years ago

  • Milestone changed from 2.9 to Future Release

comment:6 lloydbudd5 years ago

  • Component changed from General to Security
  • Owner set to ryan

comment:7 lloydbudd5 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

comment:8 scribu4 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.