回声时逃逸
Escape when echoed
我一直在尝试提交插件以供审核,但回显行一直有问题。
我发的最后一个版本是这样的
<option value="">
<?php _e( '- Default', MF_TEXT_DOMAIN ); ?>
</option>
<?php foreach ( $folders as $folder ) {
$folder = trim( $folder );
$folder = esc_attr( $folder );
echo "<option value=\"{$folder}\">{$folder}</option>";
} ?>
WordPress 的回复是:
This is not escaped:
echo "<option value=\"{$folder}\">{$folder}</option>";
$folder MUST be escaped when it's echo'd.
现在我准备再次提交代码以供审核,但首先我想确保我是正确的。
这里是新代码
<option value="">
<?php _e( '- Default', MF_TEXT_DOMAIN ); ?>
</option>
<?php foreach ( $folders as $folder ) {
$folder = trim( $folder );
echo '<option value="' . esc_attr( $folder ) . '">' . esc_attr( $folder ) . '</option>';
} ?>
如果有人能提供帮助,我将不胜感激,因为我对 (escaped) 有点困惑。
根据开发者文档,出于安全原因,所有内容都必须转义。下面是WordPress为不同数据提供的转义函数:
esc_attr() // Use on everything else that’s printed into an HTML element’s attribute.
esc_html() // Use anytime an HTML element encloses a section of data being displayed. This WILL NOT display HTML content, it is meant for being used inside HTML and will remove your HTML.
esc_js() // Use for inline Javascript.
esc_textarea() // Use this to encode text for use inside a textarea element.
esc_url() // Use on all URLs, including those in the src and href attributes of an HTML element.
esc_url_raw() // Use when storing a URL in the database or in other cases where non-encoded URLs are needed.
wp_kses() // Use to safely escape for all non-trusted HTML (post text, comment text, etc.)
wp_kses_post() // Alternative version of wp_kses() that automatically allows all HTML that is permitted in post content.
wp_kses_data() // Alternative version of wp_kses() that allows only the HTML permitted in post comments.
如果您想阅读更多内容,请查看官方文档。
https://developer.wordpress.org/plugins/security/securing-output/
我一直在尝试提交插件以供审核,但回显行一直有问题。 我发的最后一个版本是这样的
<option value="">
<?php _e( '- Default', MF_TEXT_DOMAIN ); ?>
</option>
<?php foreach ( $folders as $folder ) {
$folder = trim( $folder );
$folder = esc_attr( $folder );
echo "<option value=\"{$folder}\">{$folder}</option>";
} ?>
WordPress 的回复是:
This is not escaped:
echo "<option value=\"{$folder}\">{$folder}</option>";$folder MUST be escaped when it's echo'd.
现在我准备再次提交代码以供审核,但首先我想确保我是正确的。
这里是新代码
<option value="">
<?php _e( '- Default', MF_TEXT_DOMAIN ); ?>
</option>
<?php foreach ( $folders as $folder ) {
$folder = trim( $folder );
echo '<option value="' . esc_attr( $folder ) . '">' . esc_attr( $folder ) . '</option>';
} ?>
如果有人能提供帮助,我将不胜感激,因为我对 (escaped) 有点困惑。
根据开发者文档,出于安全原因,所有内容都必须转义。下面是WordPress为不同数据提供的转义函数:
esc_attr() // Use on everything else that’s printed into an HTML element’s attribute.
esc_html() // Use anytime an HTML element encloses a section of data being displayed. This WILL NOT display HTML content, it is meant for being used inside HTML and will remove your HTML.
esc_js() // Use for inline Javascript.
esc_textarea() // Use this to encode text for use inside a textarea element.
esc_url() // Use on all URLs, including those in the src and href attributes of an HTML element.
esc_url_raw() // Use when storing a URL in the database or in other cases where non-encoded URLs are needed.
wp_kses() // Use to safely escape for all non-trusted HTML (post text, comment text, etc.)
wp_kses_post() // Alternative version of wp_kses() that automatically allows all HTML that is permitted in post content.
wp_kses_data() // Alternative version of wp_kses() that allows only the HTML permitted in post comments.
如果您想阅读更多内容,请查看官方文档。
https://developer.wordpress.org/plugins/security/securing-output/