<?php echo $title ?> vs <?php echo esc_html( $title ); ?> WordPress Security

Reading this great article Data Validation and Sanitization in WordPress I’ve noticed that in my blog, in header.php, I used <?php echo $title ?> in a pair of codes.

According to the above article, in order to secure data, it is important to validate the data itself for data’s without validation are vulnerable to hackers.

Read More

As suggested by the author, I changed my initial <?php echo $title ?> into <?php echo esc_html( $title ); ?>.

This is the code before changes:

<span class="ads">
<?php
if ( is_user_logged_in() ) {
echo '<span><a href="/?page_id=175" title="inserisci un annuncio gratis">Pubblica il   tuo annuncio gratis: &egrave; facile e veloce!</a></span>';
} else {
echo '<span><a class="simplemodal-login simplemodal-submit" href=""><?php echo $title ?>Pubblica il tuo annuncio gratis: &egrave; facile e veloce!</a>   </span>';
}
?>
</span>

This is the code after changes:

<span class="ads">
<?php
if ( is_user_logged_in() ) {
echo '<span><a href="/?page_id=175" title="inserisci un annuncio gratis">Pubblica il   tuo annuncio gratis: &egrave; facile e veloce!</a></span>';
} else {
echo '<span><a class="simplemodal-login simplemodal-submit" href=""><?php echo  esc_html( $title ); ?>Pubblica il tuo annuncio gratis: &egrave; facile e veloce!</a>   </span>';
}
?>
</span>

Now my question is (I guess it’s a newbie one!): the change I made is good for my blog’ security?


Related posts

Leave a Reply

2 comments

  1. In the articles case, $title is an arbitrary value, as such it should be escaped via html, but, if it was gotten from a WordPress core function it is probably safe, but you should check anyway

    For example, get_the_title() can contain html markup and is not escaped by default.

    Eitherway post and page titles should not have html in them. Styling is for themes, not for content.

    You should validate all data at entry, and that is where you should focus your efforts. What your doing improves your security but by how much depends on where the data is coming from.

    I recommend you escape all data on input and output, but do it out of habit rather than for specific exceptional cases