theme development - Do i need escaping get_the_passsword_form function?

admin管理员组

文章数量:1130349

I saw themeforest/WordPress has said all WordPress default get functions need to be escaped output for security region for WordPress Theme or Plugin development, Now I want to show password form if a post has password protected. So now I'm using get_the_password_form () function. Now I need to know this function do I need escaping?

If answer Yes, Please help me, How can I escape this function? Like esc_html (), or esc_url () etc. Which function do i need to use for escaping ?

Here is Themeforest Requirements

And Here is my code

<div class="single-blog-content">
   <?php 
        if(post_password_required()) { 
            echo get_the_password_form( );                              
        }else {
            the_excerpt(); 
        }
    ?>
</div>

I saw themeforest/WordPress has said all WordPress default get functions need to be escaped output for security region for WordPress Theme or Plugin development, Now I want to show password form if a post has password protected. So now I'm using get_the_password_form () function. Now I need to know this function do I need escaping?

If answer Yes, Please help me, How can I escape this function? Like esc_html (), or esc_url () etc. Which function do i need to use for escaping ?

Here is Themeforest Requirements

And Here is my code

<div class="single-blog-content">
   <?php 
        if(post_password_required()) { 
            echo get_the_password_form( );                              
        }else {
            the_excerpt(); 
        }
    ?>
</div>

• theme-development
• password

Share Improve this question edited Jan 10, 2019 at 5:51 fuxia♦ 107k3939 gold badges255255 silver badges461461 bronze badges asked Jan 10, 2019 at 5:32 Md Abul BasharMd Abul Bashar 2711 gold badge11 silver badge99 bronze badges 1

• You couldn't really escape it. It contains HTML so escaping it would only break it. You should contact Themeforest if you have questions about their requirements. – Jacob Peattie Commented Jan 10, 2019 at 6:51

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

There is nothing to escape in your code.

Let’s say given function should return only plain text and no HTML entities should be allowed. For example you want to display the search query string.

In such case you should use esc_html.

This way, if user puts <b>ala</b> as search string, your site will print exactly that.

If you won’t escape that string before printing it, it will be treated as HTML code and you’ll see bold word ala only.

But... You have to escape with proper function depending on context.

So:

<h1>You’re looking for: <?php echo esc_html( get_query_var( 's' ) ); ?></h1>

But:

<input name="s" value="<?php echo esc_arg( get_query_var( 's' ) ); ?>"/>

So, let’s get back to your code...

get_the_password_form()

should display HTML tags and they should be processed as HTML code by browser - so you can’t escape it. If you will, you’ll see a string containing HTML tags instead of form.

I saw themeforest/WordPress has said all WordPress default get functions need to be escaped output for security region for WordPress Theme or Plugin development, Now I want to show password form if a post has password protected. So now I'm using get_the_password_form () function. Now I need to know this function do I need escaping?

If answer Yes, Please help me, How can I escape this function? Like esc_html (), or esc_url () etc. Which function do i need to use for escaping ?

Here is Themeforest Requirements

And Here is my code

<div class="single-blog-content">
   <?php 
        if(post_password_required()) { 
            echo get_the_password_form( );                              
        }else {
            the_excerpt(); 
        }
    ?>
</div>

I saw themeforest/WordPress has said all WordPress default get functions need to be escaped output for security region for WordPress Theme or Plugin development, Now I want to show password form if a post has password protected. So now I'm using get_the_password_form () function. Now I need to know this function do I need escaping?

If answer Yes, Please help me, How can I escape this function? Like esc_html (), or esc_url () etc. Which function do i need to use for escaping ?

Here is Themeforest Requirements

And Here is my code

<div class="single-blog-content">
   <?php 
        if(post_password_required()) { 
            echo get_the_password_form( );                              
        }else {
            the_excerpt(); 
        }
    ?>
</div>

• theme-development
• password

Share Improve this question edited Jan 10, 2019 at 5:51 fuxia♦ 107k3939 gold badges255255 silver badges461461 bronze badges asked Jan 10, 2019 at 5:32 Md Abul BasharMd Abul Bashar 2711 gold badge11 silver badge99 bronze badges 1

• You couldn't really escape it. It contains HTML so escaping it would only break it. You should contact Themeforest if you have questions about their requirements. – Jacob Peattie Commented Jan 10, 2019 at 6:51

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

There is nothing to escape in your code.

Let’s say given function should return only plain text and no HTML entities should be allowed. For example you want to display the search query string.

In such case you should use esc_html.

This way, if user puts <b>ala</b> as search string, your site will print exactly that.

If you won’t escape that string before printing it, it will be treated as HTML code and you’ll see bold word ala only.

But... You have to escape with proper function depending on context.

So:

<h1>You’re looking for: <?php echo esc_html( get_query_var( 's' ) ); ?></h1>

But:

<input name="s" value="<?php echo esc_arg( get_query_var( 's' ) ); ?>"/>

So, let’s get back to your code...

get_the_password_form()

should display HTML tags and they should be processed as HTML code by browser - so you can’t escape it. If you will, you’ll see a string containing HTML tags instead of form.

本文标签： theme developmentDo i need escaping getthepassswordform function