[wp-hackers] esc_url or esc_attr or both

Haluk Karamete halukkaramete at gmail.com
Thu Apr 23 03:48:32 UTC 2015


Thanks Morgan. After your reply, I checked with the codex and saw that it
says the same exact thing as you said.
I should not have asked my original question that way. That was too
obvious.

Maybe I should have asked the question in the following format and see if
it is the right way or not

document.write ('<img src="' + '<?php esc_js(esc_url($image_url_js));?>' +
'">';

Or if the 'esc_js' in there is necessary?

I'm seeking an overall recipe/guidance that would work across the board so
that I do not overlook some odd situation and get xss'ed.




On Wed, Apr 22, 2015 at 6:30 PM, Morgan Estes <morgan.estes at gmail.com>
wrote:

> In this case, using esc_url() as in example 1 is the way to go. Because of
> the way the methods escape output, esc_attr() should be used for all other
> tag attributes, but src and href should be escaped with esc_url().
>
> On Wed, Apr 22, 2015, 7:59 PM Haluk Karamete <halukkaramete at gmail.com>
> wrote:
>
> > Say, you're  retrieving a value from the SB and you expect that to be in
> > the form of a URL
> >
> > Let's assume that that value has to go in an img tag as its src
> attribute;
> >
> > In this case, what's the recommended way to escape that from an XSS point
> > of view.
> >
> > I provided 4 ways below;
> >
> > 1: just do esc_url
> > <img src="<?php esc_url($url_maybe);?>" >
> >
> > 2: just do esc_attr
> > <img src="<?php esc_attr($url_maybe);?>" >
> >
> > 3: do both but run esc_attr first
> > <img src="<?php esc_url(esc_attr($url_maybe));?>" >
> >
> > 4: do both but run esc_url first
> > <img src="<?php esc_attr(esc_url($url_maybe));?>" >
> >
> >
> > Similar confusion may occur in deciding esc_js and so on.
> > What simple guide can I use in situations like this?
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list