escape problem

  • safelayout

    (@safelayout)


    2 years, 7 months ago

    hi.
    Is it possible to generate HTML cod inside a variable and then echo it in WordPress,like this code:

    public function settings_inline_style_callback() {
	$temp0 = '<input type="radio" name="My_options[inline_style]" id="inline_style_';
	$temp1 = '<label for="inline_style_';
	
	$html = $temp0 . '0" value="0" ' . checked( $this->options['inline_style'] , '0', false ) . ' />';
	$html .= $temp1 . '0">External CSS style</label><br />';
	$html .= $temp0 . '1" value="1" ' . checked( $this->options['inline_style'], '1', false ) . ' />';
	$html .= $temp1 . '1">Inline CSS style</label>';
	echo $html;
}

    The WordPress plugin review team said the escape was not done properly.
    I am new to WordPress. I do not understand the problem with this code.
    How should I modify this code?

    Thank you very much for your help.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Bob

    (@prasunsen)

    2 years, 7 months ago

    Ops, my bad, I did not notice it’s not a variable.
    So that line is not a problem. I guess they dislike the way you are constructing the field. I don’t see a security issue with your code, but I recommend just asking the support team to clarify.

    MK

    (@mkarimzada)

    2 years, 7 months ago

    It’s always a good practice to validate inputs and sanitize outputs specially when you are publishing a plugin.

    Escaping is securing output, it prevents XSS attacks and converts the special HTML characters to HTML entities, then they are displayed instead of being executed.

    You can read more here: https://codex.wordpress.org/Data_Validation

    In your case you can escape value attributes with esc_attr() and label inputs with esc_html().

    I hope this helps.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘escape problem’ is closed to new replies.