I have
return '<button type="button" class="btn btn-success">Open Now</button>';
If I echo this it will work fine. I am getting an warning like echo is used without escaping. I know that it will be unnecessary to escape this as it is not something that user enters. But just to get rid of that error what can I do?
I tried esc_html($thehtmlabove); it does not get rendered. It prints like a text -> <button type="button" class="btn btn-success">Open Now</button>
Is there any way?
Full code:
public function opening_hour_html()
{
$type = $this->shopstatus(); // this will be 'Open Now' or 'Closed'
if ($type == 'Open Now') {
$wppl_open = __('Open Now','arika');
return '<button type="button" class="btn btn-success">.'$wppl_open'.</button>';
} else {
$wppl_closed = __('Closed','arika');
return '<button type="button" class="btn btn-danger">.'$wppl_closed'.</button>';
}
}
I have
return '<button type="button" class="btn btn-success">Open Now</button>';
If I echo this it will work fine. I am getting an warning like echo is used without escaping. I know that it will be unnecessary to escape this as it is not something that user enters. But just to get rid of that error what can I do?
I tried esc_html($thehtmlabove); it does not get rendered. It prints like a text -> <button type="button" class="btn btn-success">Open Now</button>
Is there any way?
Full code:
public function opening_hour_html()
{
$type = $this->shopstatus(); // this will be 'Open Now' or 'Closed'
if ($type == 'Open Now') {
$wppl_open = __('Open Now','arika');
return '<button type="button" class="btn btn-success">.'$wppl_open'.</button>';
} else {
$wppl_closed = __('Closed','arika');
return '<button type="button" class="btn btn-danger">.'$wppl_closed'.</button>';
}
}
- Where are you getting the error? Are you testing the code somehow? Seems like your issue is with the test, not WordPress. – Jacob Peattie Commented Nov 24, 2018 at 14:11
- 1 You can use wp_kses to ensure only what you specified is returned. But it seems like you might be better including that Html in a different way. If you could post the whole function and where you are using it, it may be easier to see. – Alvaro Commented Nov 24, 2018 at 14:13
- @Alvaro thanks i have updated by question, i am using it inside a class. testing wp_kses – user145078 Commented Nov 24, 2018 at 14:24
- @JacobPeattie it's not an error but a warning from themecheck plugin. – user145078 Commented Nov 24, 2018 at 14:25
- 2 @LatheeshVMVilla which theme check plugin? Note that escaping isn't something you just magically wrap an entire document in and it's secure, you escape the variables at the most fine grain level possible, and output immediatley without returning HTML as variables. It's good practice to return values from function, not complex HTML fragments – Tom J Nowell ♦ Commented Nov 24, 2018 at 14:53
1 Answer
Reset to default 1Ok, so this is why it's important to post the actual code that's giving you problems.
There is nothing wrong with this, which is all you had originally:
return '<button type="button" class="btn btn-success">Open Now</button>';
If that was the error, you could ignore it.
This, on the other hand, does need to be escaped:
$wppl_open = __('Open Now','arika');
return '<button type="button" class="btn btn-success">.'$wppl_open'.</button>';
The value of $wppl_open can't be trusted, because it can be affected by something from the outside by the user. A poorly configured or written translation file could cause this HTML to break, or worse, a malicious translation file could make this code unsafe. Also, the quotes are in the wrong place.
So you need to escape $wppl_open (and fix the quotes):
$wppl_open = __('Open Now','arika');
return '<button type="button" class="btn btn-success">' . esc_html( $wppl_open ) . '</button>';
Alternatively, you can perform the escaping at the same time as the translation function by using esc_html__():
$wppl_open = esc_html__('Open Now','arika');
return '<button type="button" class="btn btn-success">' . $wppl_open . '</button>';
But I can't guarantee that the theme check plugin you're using will recognise that as safe, because it still looks like you're echoing an unescaped variable if you just look at the last line.