[wp-trac] [WordPress Trac] #11040: esc_attr() doesn't strip HTML tags

WordPress Trac wp-trac at lists.automattic.com
Tue Oct 27 18:10:56 UTC 2009

#11040: esc_attr() doesn't strip HTML tags
 Reporter:  kingjeffrey       |        Type:  defect (bug)
   Status:  new               |    Priority:  normal      
Milestone:  2.9               |   Component:  Formatting  
  Version:                    |    Severity:  normal      
 Keywords:  has-patch commit  |  

Comment(by filosofo):

 Replying to [comment:6 scribu]:
 > when is it useful to have escaped html in an attribute?

 The esc_* functions are meant to be used by plugin and theme developers.
 That means:
  * They should be named in a way that reflects their use.  If something
 strips out the html, call it "strip_tags()", not "esc_attr()".
  * We can't think of every possible use to which someone might want to put
 them.  For example, supposed I want in the "title" attribute of my link:
 "Click here to learn more about the <p> element."  It makes sense for me
 to be able to use esc_attr() on it to escape it.
  * HTML entities are legal in attributes.  Why should they be removed?
  * Any place in the code that needs to strip out tags can nest
 strip_tags() in esc_attr().

 > Besides, esc_attr() and esc_html() are currently ''identical''. So
 what's the point of having two functions that do the same thing?

 They do have different filter names, so you can always filter out HTML
 entities in escaped attributes for your own purposes.

Ticket URL: <http://core.trac.wordpress.org/ticket/11040#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list