#9650 closed defect (bug) (fixed)
attribute_escape() shortcuts
Reported by: | ryan | Owned by: | |
---|---|---|---|
Milestone: | 2.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | security i18n |
Focuses: | Cc: |
Description (last modified by )
attribute_escape() is often forgotten on value attributes, especially on translated messages. Maybe some shortcuts would improve adoption. Use esc() as shorthand for atribute_escape() and add _e_esc() and _t_esc() which run translations through attribute_escape(), thus avoiding the need to do this: echo attribute_escape( __('Translated string') )
Attachments (2)
Change History (23)
#1
@
15 years ago
- Component changed from General to Formatting
- Keywords security i18n added
- Owner anonymous deleted
#11
@
15 years ago
I find this to be harder to remember. My inclination would be to standardize the function names but keep them memorable and more obvious.
Here is my suggestion:
__
= translate return suffix_e
= translate echo suffix
Stick all escaping functions into an "esc" class.
methods:
- attr()
- url()
- js()
- html()
- sql()
html(), js(), attr() would have __
and _e
suffix versions too.
So it would look like:
esc::[context][optional translation suffix]( $input, [optional translation domain]);
Example:
<a href="<?php echo esc::url( $my_url ); ?>"><?php esc::html_e( 'My translatable string' ); ?></a>
It's still shorter, but it's obvious that escaping is going on, and which context is being used. People already know __()
and _e()
so we keep those as suffixes. This also puts all our escaping in one place, so that curious people can look there to see which contexts they should be escaping but might not be.
#15
@
15 years ago
mm... in that case we'd want to use straight functions instead: esc_html_e(), etc.
#16
@
15 years ago
- Cc tran.minhquan@… added
keep _e and at the beginning for better auto-completion if straight functions are used
#19
@
15 years ago
link2caro, considered that, but _eattr_esc()
isn't very clear. The leading underscore makes it ideal as a suffix. Also:
attribute_escape(__('string'));
Becomes:
esc_attr__('string');
Maps well.
_a(), _ea(), _xa() are other suggestions.