The question:
I had look at the code but I couldnt see any escaping on funcions like the_title the_content the_excerptetc. I might not be reading it right. Do I need to escape these functions in theme development like:
esc_html ( the_title () )
Edit: as pointed out in the answers below the above code is wrong regardless – the code should have read
esc_html ( get_the_title () )
The Solutions:
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Method 1
Escaping depends entirely on the context in which you are using the functions. What is safe for displaying inside <h1> tags, is not necessarily safe to display for the value attribute of an input field, and even that wouldn’t necessarily be safe as a href attribute value….
In short – perform the sanitisation yourself as you output it. Though in the case of the_title () or get_the_title (), esc_html is not necessary, since WordPress applies the following functions:
Note: the_title prints the title – so esc_html ( the_title () ) won’t work. Similarly, the_content prints the content (in any case, you’d expect the content to display HTML).
Method 2
Yes and no – depends on whether you want html in those functions to be output or not. If you escape the_content(), for example, and it contains a <div> tag, that tag would actually be output to the page as <div> instead.
By the way, if you do escape the output of those functions, you’ll want to use their “get_” equivalents (ex. get_the_content()) as those functions echo their output directly.
Method 3
You can simply write a function like this and hook it to the_title filter:
function my_escape_title( $title ){
return esc_html( $title );
}
add_filter( 'the_title', 'my_escape_title' );
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0