[wp-trac] [WordPress Trac] #25485: Why does esc_attr not double encode entities by default?
WordPress Trac
noreply at wordpress.org
Thu Oct 3 23:39:00 UTC 2013
#25485: Why does esc_attr not double encode entities by default?
--------------------------+-----------------------------
Reporter: smerriman | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: 3.6.1
Severity: normal | Keywords:
--------------------------+-----------------------------
This function has been around for a long time, so I'm sure there is a good
explanation for why this isn't a "bug", but I'm very confused.
The main point of esc_attr is that you can use it inside, say:
`input value="<?php echo esc_attr($x);?>"`
so that the input field displays exactly the string $x, rather than
messing up quotes and other special characters. However, this is not true
of HTML entities.
A simple example - in the Tagline field on the Wordpress general settings
page, enter:
`©`
In the database, this is saved exactly as typed.
When the page reloads, you see the copyright symbol rather than what you
typed.
If you save the options again without changing anything, the database
changes to the actual single copyright character, rather than the HTML.
It seems wrong to me that saving the page without changing anything would
result in different results in the database.
This would become extremely problematic if, say, you wanted
characters, as after the first save you would no longer be able to
distinguish them from normal characters.
I know there is an optional variable you can pass to esc_attr to avoid
this, but should not all inputs throughout Wordpress, or indeed the
default esc_attr, encode these entities properly? Or is there a good
reason for this unusual (to me) behaviour?
(Note that they are properly encoded in esc_textarea).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25485>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list