I saw themeforest/WordPress has said all WordPress default get functions need to be escaped output for security region for WordPress Theme or Plugin development, Now I want to show password form if a post has password protected. So now I'm using get_the_password_form () function. Now I need to know this function do I need escaping?
If answer Yes, Please help me, How can I escape this function? Like esc_html (), or esc_url () etc. Which function do i need to use for escaping ?
Here is Themeforest Requirements
And Here is my code
<div class="single-blog-content">
<?php
if(post_password_required()) {
echo get_the_password_form( );
}else {
the_excerpt();
}
?>
</div>
I saw themeforest/WordPress has said all WordPress default get functions need to be escaped output for security region for WordPress Theme or Plugin development, Now I want to show password form if a post has password protected. So now I'm using get_the_password_form () function. Now I need to know this function do I need escaping?
If answer Yes, Please help me, How can I escape this function? Like esc_html (), or esc_url () etc. Which function do i need to use for escaping ?
Here is Themeforest Requirements
And Here is my code
<div class="single-blog-content">
<?php
if(post_password_required()) {
echo get_the_password_form( );
}else {
the_excerpt();
}
?>
</div>
- You couldn't really escape it. It contains HTML so escaping it would only break it. You should contact Themeforest if you have questions about their requirements. – Jacob Peattie Commented Jan 10, 2019 at 6:51
1 Answer
Reset to default 1There is nothing to escape in your code.
Let’s say given function should return only plain text and no HTML entities should be allowed. For example you want to display the search query string.
In such case you should use esc_html.
This way, if user puts <b>ala</b> as search string, your site will print exactly that.
If you won’t escape that string before printing it, it will be treated as HTML code and you’ll see bold word ala only.
But... You have to escape with proper function depending on context.
So:
<h1>You’re looking for: <?php echo esc_html( get_query_var( 's' ) ); ?></h1>
But:
<input name="s" value="<?php echo esc_arg( get_query_var( 's' ) ); ?>"/>
So, let’s get back to your code...
get_the_password_form()
should display HTML tags and they should be processed as HTML code by browser - so you can’t escape it. If you will, you’ll see a string containing HTML tags instead of form.