Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

WordPress

Gary Stewart
Gary Stewart
14,142 Points
Posted by Gary Stewart
Gary Stewart
14,142 Points

Escaping output within Wordpress?

Hi guys, as someone who is slowly learning the in depths of coding and more specifically coding for Wordpress.

I understand the process of validating input and escaping output but what exactly should I be escaping? Is it only information that has been inputted by a user or information that is taken from the database for example am I right in thinking that this should be escaped:

<?php
$address = "www.this.com";
 echo esc_url($address); ?>

but this doesn't need to be as nothing is being taken from an external source it is hard coded to a page template?

<?php wp_redirect( 'http://www.this.com'); exit; ?>

Thanks!

2 Answers

Ryan Duchene
PLUS
Ryan Duchene
Courses Plus Student 46,022 Points
Ryan Duchene
Ryan Duchene
Courses Plus Student 46,022 Points

You are right in saying that you should sanitize input and escape output. However, in many cases, WordPress takes care of all that for you, especially if it's in the admin area. Unless you're adding some pretty involved code to the frontend (e.g., a forums), you should be able to get away without having to escape or sanitize anything, as WordPress does it for you.

Even if you are looking to add very involved forms to the frontend, WordPress still provides a lot of functions that make it very easy to sanitize input and escape output. For instance, I'd check out the wp_insert_post() and wp_editor() functions on the Codex. The first allows you to create posts programmatically, but it sanitizes all given data, fills in anything you or the user has left blank, and just generally streamlines that whole process. And the second function generates a TinyMCE editor that you can use on the frontend. I discovered them both recently when I was building a forums for a WordPress website I maintain, and they both really streamlined that process.

In conclusion: yes, you should sanitize input and escape output. But in the case of WordPress, that's mostly taken care of for you. As long as you use WordPress-provided functions and know that each one sanitizes/escapes (and most do), then you should be good to go.

Gary Stewart
Gary Stewart
14,142 Points
Gary Stewart
Gary Stewart
14,142 Points

Thank you for your response!

So I only need to escape something which has either been entered or retrieved from the database? Don't need to escape say a url I myself have hard written in? It may sound a bit stupid but I'm just thinking!

In my case I am actually using and calling a lost of my own create post_meta information using:

<?php
$openTo = get_post_meta($postRef, 'open_to', true);
?>

for example so this is getting information from the database?

While on the subject, does anyone know the best way to escape a float number cash amount to two decimal places? I used interval() for whole numbers but say I have a number of 36.10 and use the function floatval() it returns 36.1 where I would like the full number including the zeros?

Thanks again!