wp_specialchars and wp_specialchars_decode in a shortcode plugin

1 Views

I have written my first plugin, a shortcode plugin. I have read about wp_specialchars and wp_specialchars_decode but I’m not sure how to use them.

The plugin read a shortcode allowing some parameters and it inserts a script in the page html code. For example, [MYSHORTCODE TITLE="a short title"] yields the following script code lines:

Read More
$html ="<script type="text/javascript">n"
$html.="var text="" . $par['title'] . "";n"

I’m not sure if here I need to write: 

$html.="var text="" . wp_specialchars_decode($par['title']) . "";n"

or 

$html.="var text="" . wp_specialchars($par['title']) . "";n"

or neither one nor the other.

Post Views: 1

Related posts

Leave a Reply

1 comment

  1. The Codex description of these two functions:

    wp_specialchars: Converts a number of special characters into their
    HTML entities. Specifically deals with: &, <, >, “, and ‘.

    wp_specialchars_decode: Converts a number of HTML entities into
    their special characters.

    According to

    http://codex.wordpress.org/Function_Reference/wp_specialchars

    This function is deprecated as of WordPress 2.8.0. Please use esc_html
    instead.

    You don’t want to have special characters in your html output, so you would rather not use wp_specialchars_decode for that.

    There is a special function called esc_js() that you should consider

    http://codex.wordpress.org/Function_Reference/esc_js

    The source code for this function can be found here:

    http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/formatting.php#L2641

    /**
2641     * Escape single quotes, htmlspecialchar " < > &, and fix line endings.
2642     *
2643     * Escapes text strings for echoing in JS. It is intended to be used for inline JS
2644     * (in a tag attribute, for example onclick="..."). Note that the strings have to
2645     * be in single quotes. The filter 'js_escape' is also applied here.
2646     *
2647     * @since 2.8.0
2648     *
2649     * @param string $text The text to be escaped.
2650     * @return string Escaped text.
2651     */
2652    function esc_js( $text ) {
2653            $safe_text = wp_check_invalid_utf8( $text );
2654            $safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
2655            $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
2656            $safe_text = str_replace( "r", '', $safe_text );
2657            $safe_text = str_replace( "n", '\n', addslashes( $safe_text ) );
2658            return apply_filters( 'js_escape', $safe_text, $text );
2659    }

    Here is a good data validation overview:

    http://codex.wordpress.org/Data_Validation