Question about escaping data in the front end

  • Resolved Guido

    (@guido07111975)


    9 years, 4 months ago

    Hi,

    I have 2 questions about escaping data in frontend of my website.

    1) Should I escape a sprintf itself?

    sprintf(__( 'Date: %s', 'mytextdomain' ), date_i18n( get_option( 'date_format' ), $date ) );

    Currently I only escape the $date part:

    $date = esc_html(get_post_meta( get_the_ID(), 'date', true ));

    2) As displayed above, I escape the get_post_meta, should this be escaped?

    Guido

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator bcworkz

    (@bcworkz)

    Hi Guido,

    In your example, just the $date is fine. The only reason to do so later is if you need the output to appear like HTML instead of be treated as HTML. In other words to look like <a href="https://example.com">Link</a> instead of Link.

    The general rule is escape just before output, but since $date is the last variable assigned and all else is static content, that is late enough.

    I am no security expert though, look through Data Validation and decide for yourself. I don’t want to be responsible for any security holes in your site ??

    Thread Starter Guido

    (@guido07111975)

    Hi,

    Thanks (again) for your response.
    I was mostly wondering because of the multiple components of the sprintf. Did read somewhere I should escape the translation part as well, but when I take a look at (for example) the default Twenty Fifteen theme, it’s not being done there either.

    But I do think this should be very safe:

    sprintf(esc_attr__( 'Date: %s', 'mytextdomain' ), date_i18n( get_option( 'date_format' ), esc_html($date) ) );

    What do you think?

    Guido

    Moderator bcworkz

    (@bcworkz)

    Better safe than sorry I suppose. It certainly would not hurt anything.

    I’m trying to imagine a security breach through translation. It’s certainly possible for a translator to insert malicious code as a supposed translation, after all we often do not know who writes these. It’s quite far fetched IMO.

    And it is possible for a hacker to modify a translation file to insert malicious code, but if the hacker is capable of that, we have bigger problems than hacked translation files, the hacker could likely change any WP file he chose, if not any file on the server.

    I personally would not lose sleep because my translations were not escaped, but then I’m no security expert. If I were I’d never get any sleep ??

    Thread Starter Guido

    (@guido07111975)

    After some additional searching I’m convinced if you escape all ‘dynamic data’ in frontend everything is safe enough.

    Thanks. Closing this topic.

    Guido

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Question about escaping data in the front end’ is closed to new replies.