Escaping this empty variable necessary?

Resolved Guido
(@guido07111975)

8 years ago
Hi dear forum users,

Within my plugin I output a HTML string if value “hook” is true.
```
if(hook == true) {
  $before = '<div class="hook">';
  $after = '</div>';
} else {
  $before = esc_attr('');
  $after = esc_attr('');
}
echo $before . $some-value . $after;
```
I know, this is not best coding practice, but I just wondering whether or not it’s necessary to escape the empty variable in this case? Because this value is always empty if “hook” is false. So the variable does not contain anything which can be used as hook by malicious scripts.

Guido

Viewing 6 replies - 1 through 6 (of 6 total)

Jacob Peattie
(@jakept)

8 years ago
No, you’re right, it’s not necessary.

You should use escaping functions when you can’t trust the value. This would include any user input (even from admin accounts), external content (such as from an API), values from another script or template, or even translations.

For translations, when you use __( 'My text' ) a translation file can replace that content. To reduce the risk of malicious translation files doing something nasty you should escape translatable text. WordPress provides functions like esc_html__() and esc_html_e() as escaped versions of __() and _e().

But if you’re setting the values in the code yourself, you don’t need to escape them.
- This reply was modified 8 years ago by Jacob Peattie.
Marcus Kober
(@marcuskober)

8 years ago
Hi there,

no, that’s not necessary. But you have a problem in your code: if you want to output the variable, please use double quotes (“) instead. With single quotes echo will output just the dollar sign and the variable name:
```
$before = '';
$after = '';
if ($hook == true) {
  $before = '<div class="hook">';
  $after = '</div>';
}
echo "$before $some_value $after";
```
And please don’t forget the dollar sign in the if clause (you are using hook instead of $hook and keep in mind that variable names couldn’t include dashes, but underscores ($some_value instead of $some-value)…
Marcus Kober
(@marcuskober)

8 years ago

Oh, you’ve corrected the echo in the meantime. 🙂

Thread Starter Guido
(@guido07111975)

8 years ago

Hi Jacob and Marcus,

Thanks for the quick response.

You should use escaping functions when you can’t trust the value.

That’s the explanation I needed; my value is always empty in that case, so it can be trusted. No escaping needed 🙂

Oh, you’ve corrected the echo in the meantime.

Yup, I noticed myself it wasn’t correct 😉

@ritart12 what do you mean?

Guido

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

8 years ago

Hi Guido, that user ritart12 was a spammer and is now blocked.

Thread Starter Guido
(@guido07111975)

8 years ago

Thanks, I already thought his link was looking suspicious..

Guido

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Escaping this empty variable necessary?’ is closed to new replies.

Escaping this empty variable necessary?

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics