[wp-trac] [WordPress Trac] #11040: esc_attr() doesn't strip HTML tags
WordPress Trac
wp-trac at lists.automattic.com
Tue Oct 27 18:10:56 UTC 2009
#11040: esc_attr() doesn't strip HTML tags
------------------------------+---------------------------------------------
Reporter: kingjeffrey | Type: defect (bug)
Status: new | Priority: normal
Milestone: 2.9 | Component: Formatting
Version: | Severity: normal
Keywords: has-patch commit |
------------------------------+---------------------------------------------
Comment(by filosofo):
Replying to [comment:6 scribu]:
> when is it useful to have escaped html in an attribute?
The esc_* functions are meant to be used by plugin and theme developers.
That means:
* They should be named in a way that reflects their use. If something
strips out the html, call it "strip_tags()", not "esc_attr()".
* We can't think of every possible use to which someone might want to put
them. For example, supposed I want in the "title" attribute of my link:
"Click here to learn more about the <p> element." It makes sense for me
to be able to use esc_attr() on it to escape it.
* HTML entities are legal in attributes. Why should they be removed?
* Any place in the code that needs to strip out tags can nest
strip_tags() in esc_attr().
> Besides, esc_attr() and esc_html() are currently ''identical''. So
what's the point of having two functions that do the same thing?
They do have different filter names, so you can always filter out HTML
entities in escaped attributes for your own purposes.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11040#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list