[wp-hackers] esc_url or esc_attr or both

Morgan Estes morgan.estes at gmail.com
Thu Apr 23 15:50:16 UTC 2015


In this case, esc_js() isn't used properly and is overkill; it's main use
is for escaping inline handlers like onclick. Since you're escaping a URL
that's used in the src attribute, esc_url() works just fine.

If you're escaping JS values, use wp_json_encode() and avoid using esc_js()
(and inline event handlers in general).

On another note, if you can at all avoid document.write() for adding an
element to the DOM, you'll be much happier for it. :)

Morgan W. Estes
http://morganestes.com <http://about.me/morganestes>

On Wed, Apr 22, 2015 at 10:48 PM, Haluk Karamete <halukkaramete at gmail.com>
wrote:

> Thanks Morgan. After your reply, I checked with the codex and saw that it
> says the same exact thing as you said.
> I should not have asked my original question that way. That was too
> obvious.
>
> Maybe I should have asked the question in the following format and see if
> it is the right way or not
>
> document.write ('<img src="' + '<?php esc_js(esc_url($image_url_js));?>' +
> '">';
>
> Or if the 'esc_js' in there is necessary?
>
> I'm seeking an overall recipe/guidance that would work across the board so
> that I do not overlook some odd situation and get xss'ed.
>
>
>
>
> On Wed, Apr 22, 2015 at 6:30 PM, Morgan Estes <morgan.estes at gmail.com>
> wrote:
>
> > In this case, using esc_url() as in example 1 is the way to go. Because
> of
> > the way the methods escape output, esc_attr() should be used for all
> other
> > tag attributes, but src and href should be escaped with esc_url().
> >
> > On Wed, Apr 22, 2015, 7:59 PM Haluk Karamete <halukkaramete at gmail.com>
> > wrote:
> >
> > > Say, you're  retrieving a value from the SB and you expect that to be
> in
> > > the form of a URL
> > >
> > > Let's assume that that value has to go in an img tag as its src
> > attribute;
> > >
> > > In this case, what's the recommended way to escape that from an XSS
> point
> > > of view.
> > >
> > > I provided 4 ways below;
> > >
> > > 1: just do esc_url
> > > <img src="<?php esc_url($url_maybe);?>" >
> > >
> > > 2: just do esc_attr
> > > <img src="<?php esc_attr($url_maybe);?>" >
> > >
> > > 3: do both but run esc_attr first
> > > <img src="<?php esc_url(esc_attr($url_maybe));?>" >
> > >
> > > 4: do both but run esc_url first
> > > <img src="<?php esc_attr(esc_url($url_maybe));?>" >
> > >
> > >
> > > Similar confusion may occur in deciding esc_js and so on.
> > > What simple guide can I use in situations like this?
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list