Adding custom code to your WordPress website is powerful. You can add virtually any type of functionality. That’s great – but it also comes with responsibility.
The output of your code must be secure. Otherwise, a malicious actor could take advantage. For example, they could execute a rogue JavaScript or PHP snippet to spread malware. It puts users at risk and is a mess to clean up.
Thankfully, WordPress provides a way to prevent these sorts of attacks. Escaping data output strips unwanted and unsafe code. In other words, the feature ensures that only safe content will be output. It’s extra peace of mind when building custom themes and plugins.
If you have coding knowledge, escaping PHP data output is relatively simple. However, it’s also an easy step to miss. That’s why improper code sanitization is one of the leading security issues in the WordPress ecosystem.
Let’s change that narrative, one snippet at a time. Here’s a quick guide to escaping PHP data in WordPress. It could save you from a security nightmare or two.
A Way to Control and Safeguard Your Site’s Data
What does data escaping do? Think of it as a filter in a coffeemaker. A filter’s job is to capture the ground-up beans and let the tasty liquid through. Likewise, escaping data filters out potentially dangerous bits of code before it’s rendered in a web browser.
Let’s use a website contact form as an example. Our form might have fields for:
- Name
- Email Address
- Postal Address
- Message
Each field has a specific purpose. We assume a user will add their first and last name to the “Name” field, and so on.
But what if they don’t? We can’t guarantee that everyone will behave as expected. Assuming they will is a mistake.
A malicious user or bot could try to add JavaScript to one or more of our fields. That code might be executed on our website. Any number of bad things could happen from there. The code could redirect you to a dangerous site or grab personal information such as passwords or payment details.
Escaping the data collected by our form can prevent such shenanigans. The feature limits what input the fields will accept. It also prevents any disallowed input from being rendered.
Like a coffee filter, data escaping cleans up our output while letting the good stuff flow through.
WordPress Data Escaping Functions
WordPress provides several functions for escaping data. Each is designed to handle different types of content.
For instance, the esc_html() function will remove any HTML from the input. One example would be a user who includes HTML in a page title. This function ensures the code isn’t rendered in the output.
Let’s say an adventurous user places the following in a page title field:
About UsWe haven’t escaped the PHP code in our theme:
WordPress won’t remove the extra HTML in this scenario. That could be dangerous!
Now, let’s use esc_html() to strengthen our security:
The function will strip the HTML tags added by the user, leaving only the text:
Perhaps the code in our example is harmless. However, it opens the door to someone with more sinister intentions. Escaping data is a simple step that protects your website and everyone who visits it.
Common Escaping Functions
Let’s take a quick look at a few other escaping functions:
esc_js() – This function is used to sanitize inline JavaScript code. It escapes special characters and prevents XSS attacks.
Click meesc_url() – Sanitizes URLs before output by escaping unsafe characters and validates HTTP/HTTPS protocols. You can also use esc_url_raw() to store URLs in the site’s database.
Visit our sitewp_kses() – Escapes all non-trusted code while preserving HTML. Alternately, wp_kses_post() preserves code permitted in a post or page.
The above functions are among the most commonly used by developers. Check out the WordPress documentation for a complete list with code examples.
Where Should You Use Escaping Functions?
Escaping functions should be used anywhere you’re handling user input via code. That might be a theme template or a custom plugin. If you’re using custom fields, their output should also be escaped.
Custom code is the primary focus here. If you’re unsure where to start, the Theme Check and Plugin Check plugins will help you find unescaped output in your code. From there, you can add an escaping function and test the changes.
Note that most native WordPress functions like the_content() or the_title() are escaped by default – you don’t need to do anything further.
What if you find some unescaped output in a third-party theme or plugin? Notify the developer! It could be an oversight on their part. Fixing it will help improve the product’s security.
Escape to a Safer Place
It’s easy to forget to escape output when writing code. Developers who aren’t well-versed in security may not even know about it. Code editor apps won’t alert you to the issue. And WordPress will execute your code regardless.
So, keep this security feature in mind. Add it to a checklist or set a reminder in your project notes. It only takes a few extra seconds to implement. And it might be the difference in whether your site is as secure as possible.
Top
