0

I read this and I did the below.

$confirmation = htmlspecialchars( 'return confirm("' . esc_html__( 'Do you really want to delete?', 'tor-child' ) . '");' );

$output .= '<form method="post" action="" onsubmit="' . $confirmation . '">';

Security is my concern. So, could I be overdoing it by using htmlspecialchars and esc_html__ together in $confirmation?

Or should I replace esc_html__() with __() and still be safe? Someone might enter some markup in translation text, though.

mewiben39
  • 121
  • 9
  • Not a WP user but from quick read of documentation `esc_html__` seems to be the same as `htmlspecialchars`, but with a UTF8 check. https://developer.wordpress.org/reference/functions/esc_html/ and https://developer.wordpress.org/reference/functions/_wp_specialchars/ – user3783243 May 22 '22 at 10:55
  • Your question could use some more clarity. `esc_` is for output. Are you trying to `sanitize` user input, or `esc` output to the page? If output, how is `$output` returned to the page? At what point is the `$output` printed? – Howard E May 22 '22 at 11:02

1 Answers1

1

esc_html__() & __() functions are used for output whereas sanitizing is related to securing input. If you're trying to sanitize your input values then you can use built-in sanitization functions from here.

If you're trying to escape output that might contain markup then you should use wp_kses() or wp_kses_post()

References:
reference1 reference2

rootShiv
  • 1,375
  • 2
  • 6
  • 21
Reza Khan
  • 86
  • 3
  • I'm using esc_html__() to translate and output some text. But this text is a user input from our own developer, in case someone might slip up and enter HTML tags in the translation or the translation file may be compromised. Thus, I'm trying to ensure that where ever the input comes from, it will be sanitized. So, do you still think my code is safe? – mewiben39 May 25 '22 at 11:47