[wp-trac] [WordPress Trac] #32556: Clarify behaviour of esc_attr() with respect to HTML entities

WordPress Trac noreply at wordpress.org
Wed Jun 3 06:33:05 UTC 2015

#32556: Clarify behaviour of esc_attr() with respect to HTML entities
 Reporter:  leewillis77   |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Formatting    |     Version:
 Severity:  normal        |  Resolution:  invalid
 Keywords:                |     Focuses:

Comment (by leewillis77):


 I'm aware it's a fine line between bug and support, but please consider
 re-opening this - rationale below.

 The reason I opened it as a bug, is because esc_attr() is interfering with
 the string it is passed in undocumented ways. At the very least, that's a
 documentation bug, ideally it just shouldn't do it - although I appreciate
 that's probably difficult.

 According to the documentation, all three of these '''should''' return the
 same string, however the versions that include esc_attr() return different
 output to the non-esc_attr() version.

 htmlspecialchars('»') // Returns »

 esc_attr(htmlspecialchars('»')); // Returns »

 esc_attr('»'); // Returns »

 The & passed into esc_attr is being decoded to & when it should not
 be. I presume this is part of esc_attr() trying to make sure it's not
 double-encoding things, but it should not decode if the encoding was part
 of the source string.

Ticket URL: <https://core.trac.wordpress.org/ticket/32556#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list