• Resolved C. Perez

    (@crispybacon)


    Hello,
    I am confused as to whether it is necessary to escape HTML and HTML attributes in arguments passed to a function. For example, is it necessary to use esc_html() and esc_attr(), like in the code below, when the arguments relate to HTML tags and attributes? Thanks!

    <?php
           $args = array(
           'theme_location' => 'mobile-nav',
           'container' => esc_html( 'nav' ),
           'container_id' => esc_attr( 'mobile-nav' ),
           'container_class' => esc_attr( 'mobile-nav' ),
           'menu_class' => esc_attr( 'header-menu' ),
           );
           wp_nav_menu( $args );
      ?>
Viewing 2 replies - 1 through 2 (of 2 total)
  • In that specific case, no escaping is needed because there are no variables.
    If the values are in variables and could be modified (especially by the user) then you need to sanitize.

    Thread Starter C. Perez

    (@crispybacon)

    Great. Thanks for your prompt reply, Joy! I appreciate it.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Escaping HTML and attributes in arguments passed to a function’ is closed to new replies.