Why escape if the_content isnt?Should I escape wordpress functions like the_title, the_excerpt, the_contentWhy does WordPress change a file's permissions?Do we need to escape data that we receive from theme options?Why are xmlrpc.php and wp-cron.php being called so often?How to escape custom css?Why should I use the esc_url?Why does WordPress have more than one salt?Do you need to escape hard coded plain text?How to escape multiple attribute at once in WordPress?Do I need to escape get_the_post_thumbnail function?

How much code would a codegolf golf if a codegolf could golf code?

Are there categories whose internal hom is somewhat 'exotic'?

Is it appropriate for a business to ask me for my credit report?

Sort, slice and rebuild new object with array data

Why do some academic journals requires a separate "summary" paragraph in addition to an abstract?

Is this kind of description not recommended?

In xXx, is Xander Cage's 10th vehicle a specific reference to another franchise?

Stuffing in the middle

Is a butterfly one or two animals?

How did Apollo 15's depressurization work?

Sous vide chicken without an internal temperature of 165

Chess software to analyze games

I think my coworker went through my notebook and took my project ideas

Unsolved Problems (Not Independent of ZFC) due to Lack of Computational Power

Can a Beast Master ranger choose a swarm as an animal companion?

Can others monetize my project with GPLv3?

Alchemist potion on Undead

What is the latest version of SQL Server native client that is compatible with Sql Server 2008 r2

Use of vor in this sentence

!I!n!s!e!r!t! !n!b!e!t!w!e!e!n!

Count the frequency of items in an array

Has there ever been a truly bilingual country prior to the contemporary period?

How to avoid using System.String with Rfc2898DeriveBytes in C#

Does Denmark lose almost $700 million a year "carrying" Greenland?



Why escape if the_content isnt?


Should I escape wordpress functions like the_title, the_excerpt, the_contentWhy does WordPress change a file's permissions?Do we need to escape data that we receive from theme options?Why are xmlrpc.php and wp-cron.php being called so often?How to escape custom css?Why should I use the esc_url?Why does WordPress have more than one salt?Do you need to escape hard coded plain text?How to escape multiple attribute at once in WordPress?Do I need to escape get_the_post_thumbnail function?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








7















The built in function the_content runs through several filters, but does not escape output. It would be difficult for it to do so, as HTML and even some scripts must be allowed through.



When outputting, the_content seems to run through these filters (as of 5.0):



add_filter( 'the_content', 'do_blocks', 9 );
add_filter( 'the_content', 'wptexturize' );
add_filter( 'the_content', 'convert_smilies', 20 );
add_filter( 'the_content', 'wpautop' );
add_filter( 'the_content', 'shortcode_unautop' );
add_filter( 'the_content', 'prepend_attachment' );
add_filter( 'the_content', 'wp_make_content_images_responsive' );

(and)

add_filter( 'the_content', 'capital_P_dangit' );
add_filter( 'the_content', 'do_shortcode' );


It also does a simple string replace:



$content = str_replace( ']]>', ']]>', $content );



And then get_the_content does a tiny bit of processing related to the "more" link and a bug with foreign languages.



None of those prevent XSS script injection, right?



When saving, the data is sanitized through wp_kses_post. But as this is an expensive process, I understand why it's not used on output.



The rule of thumb for WordPress escaping is that everything needs to be escaped, regardless of input sanitation, and as lately as possible. I've read several articles saying this, because the database is not to be considered a trusted source.



But for the reasons above, the_content doesn't follow that. Nor do the core themes (i.e. TwentyNineteen) add additional escaping on output.



So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?










share|improve this question


























  • You forgot wp_kses_post

    – Tom J Nowell
    Mar 27 at 15:20











  • It runs through wp_kses_post on output? Where?

    – tmdesigned
    Mar 27 at 15:38

















7















The built in function the_content runs through several filters, but does not escape output. It would be difficult for it to do so, as HTML and even some scripts must be allowed through.



When outputting, the_content seems to run through these filters (as of 5.0):



add_filter( 'the_content', 'do_blocks', 9 );
add_filter( 'the_content', 'wptexturize' );
add_filter( 'the_content', 'convert_smilies', 20 );
add_filter( 'the_content', 'wpautop' );
add_filter( 'the_content', 'shortcode_unautop' );
add_filter( 'the_content', 'prepend_attachment' );
add_filter( 'the_content', 'wp_make_content_images_responsive' );

(and)

add_filter( 'the_content', 'capital_P_dangit' );
add_filter( 'the_content', 'do_shortcode' );


It also does a simple string replace:



$content = str_replace( ']]>', ']]>', $content );



And then get_the_content does a tiny bit of processing related to the "more" link and a bug with foreign languages.



None of those prevent XSS script injection, right?



When saving, the data is sanitized through wp_kses_post. But as this is an expensive process, I understand why it's not used on output.



The rule of thumb for WordPress escaping is that everything needs to be escaped, regardless of input sanitation, and as lately as possible. I've read several articles saying this, because the database is not to be considered a trusted source.



But for the reasons above, the_content doesn't follow that. Nor do the core themes (i.e. TwentyNineteen) add additional escaping on output.



So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?










share|improve this question


























  • You forgot wp_kses_post

    – Tom J Nowell
    Mar 27 at 15:20











  • It runs through wp_kses_post on output? Where?

    – tmdesigned
    Mar 27 at 15:38













7












7








7


3






The built in function the_content runs through several filters, but does not escape output. It would be difficult for it to do so, as HTML and even some scripts must be allowed through.



When outputting, the_content seems to run through these filters (as of 5.0):



add_filter( 'the_content', 'do_blocks', 9 );
add_filter( 'the_content', 'wptexturize' );
add_filter( 'the_content', 'convert_smilies', 20 );
add_filter( 'the_content', 'wpautop' );
add_filter( 'the_content', 'shortcode_unautop' );
add_filter( 'the_content', 'prepend_attachment' );
add_filter( 'the_content', 'wp_make_content_images_responsive' );

(and)

add_filter( 'the_content', 'capital_P_dangit' );
add_filter( 'the_content', 'do_shortcode' );


It also does a simple string replace:



$content = str_replace( ']]>', ']]>', $content );



And then get_the_content does a tiny bit of processing related to the "more" link and a bug with foreign languages.



None of those prevent XSS script injection, right?



When saving, the data is sanitized through wp_kses_post. But as this is an expensive process, I understand why it's not used on output.



The rule of thumb for WordPress escaping is that everything needs to be escaped, regardless of input sanitation, and as lately as possible. I've read several articles saying this, because the database is not to be considered a trusted source.



But for the reasons above, the_content doesn't follow that. Nor do the core themes (i.e. TwentyNineteen) add additional escaping on output.



So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?










share|improve this question
















The built in function the_content runs through several filters, but does not escape output. It would be difficult for it to do so, as HTML and even some scripts must be allowed through.



When outputting, the_content seems to run through these filters (as of 5.0):



add_filter( 'the_content', 'do_blocks', 9 );
add_filter( 'the_content', 'wptexturize' );
add_filter( 'the_content', 'convert_smilies', 20 );
add_filter( 'the_content', 'wpautop' );
add_filter( 'the_content', 'shortcode_unautop' );
add_filter( 'the_content', 'prepend_attachment' );
add_filter( 'the_content', 'wp_make_content_images_responsive' );

(and)

add_filter( 'the_content', 'capital_P_dangit' );
add_filter( 'the_content', 'do_shortcode' );


It also does a simple string replace:



$content = str_replace( ']]>', ']]>', $content );



And then get_the_content does a tiny bit of processing related to the "more" link and a bug with foreign languages.



None of those prevent XSS script injection, right?



When saving, the data is sanitized through wp_kses_post. But as this is an expensive process, I understand why it's not used on output.



The rule of thumb for WordPress escaping is that everything needs to be escaped, regardless of input sanitation, and as lately as possible. I've read several articles saying this, because the database is not to be considered a trusted source.



But for the reasons above, the_content doesn't follow that. Nor do the core themes (i.e. TwentyNineteen) add additional escaping on output.



So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?







security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 27 at 12:50







tmdesigned

















asked Mar 27 at 12:44









tmdesignedtmdesigned

1,4011 gold badge10 silver badges14 bronze badges




1,4011 gold badge10 silver badges14 bronze badges















  • You forgot wp_kses_post

    – Tom J Nowell
    Mar 27 at 15:20











  • It runs through wp_kses_post on output? Where?

    – tmdesigned
    Mar 27 at 15:38

















  • You forgot wp_kses_post

    – Tom J Nowell
    Mar 27 at 15:20











  • It runs through wp_kses_post on output? Where?

    – tmdesigned
    Mar 27 at 15:38
















You forgot wp_kses_post

– Tom J Nowell
Mar 27 at 15:20





You forgot wp_kses_post

– Tom J Nowell
Mar 27 at 15:20













It runs through wp_kses_post on output? Where?

– tmdesigned
Mar 27 at 15:38





It runs through wp_kses_post on output? Where?

– tmdesigned
Mar 27 at 15:38










4 Answers
4






active

oldest

votes


















9















If I were a hacker with access to the database, wouldn't I just add my
code to a post's content?




If you've got access to the database, chances are that you've got enough access that escaping isn't going to stop you. Escaping is not going to help you if you've been hacked. It's not supposed to. There's other reasons to escape. The two main ones that I can think of are:



To deal with unsanitized input



WordPress post content is sanitized when it's saved, but not everything else is. Content passed via a query string in the URL isn't sanitized, for example. Neither is content in translation files, necessarily. Both those are sources of content that have nothing to do with the site being compromised. So translatable text and content pulled from the URL need to be escaped.



To prevent users accidentally breaking markup



Escaping isn't just for security. You also need it to prevent users accidentally breaking their site's markup. For example, if the user placing quotes or > symbols in some content in your plugin would break the markup, then you should escape that output. You don't want to be over-aggressive in sanitising on input, because there's perfectly valid reasons a user might want to use those characters.





“Escaping isn’t only about protecting from bad guys. It’s just making
our software durable. Against random bad input, against malicious
input, or against bad weather.”




That's from the WordPress VIP guidelines on escaping. It has a lot more to say on this matter, and you should give it a read.






share|improve this answer

























  • Thank you, that is helpful. I had read a post on VIP about escaping and the author specifically mentioned the idea of someone having gained access to the DB but not the server. However I think your reasoning on that point makes more sense. And, I suppose, sometimes you are escaping vulnerable content from the database even without someone having had complete access to the database, i.e. via a plugin or even just a comment.

    – tmdesigned
    Mar 27 at 13:22


















8














I'm actually an engineer at VIP who does a lot of code review :) I flag a lot of missing escaping.




but does not escape output




Not quite, it doesn't escape on output, which is surprising to most people. This is because if you're a super admin you have the unfiltered_html capability, so it can't escape on output. Instead it runs it through wp_kses_post on input. Ideally you would remove that capability though.



Here is the implementation at the current time:



function the_content( $more_link_text = null, $strip_teaser = false ) 
$content = get_the_content( $more_link_text, $strip_teaser );

/**
* Filters the post content.
*
* @since 0.71
*
* @param string $content Content of the current post.
*/
$content = apply_filters( 'the_content', $content );
$content = str_replace( ']]>', ']]>', $content );
echo $content;



The ideal mechanism for escaping anything that goes through the_content filter on the other hand is:



echo apply_filters( 'the_content', wp_kses_post( $content ) );


This way we make the content safe, then run it through the filter, avoiding the embeds etc being stripped out.



So Why Escape




The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



To prevent users accidentally breaking markup




There are many reasons to escape, but fundamentally, you're enforcing expectations. Take the following code:



<a href="<?=$url?>">


We expect $url to contain a URL suitable for a href attribute, but what if it isn't? Well why leave it to chance, lets enforce it:



<a href="<?=esc_url( $url )?>">


It is now always going to be a URL. It doesn't matter if a hacker puts an image in $url, or if a user types in the wrong field, or there's a malicious script. It will always be a valid URL because we said it's going to be a URL. Sure it might be a very strange URL, but it will always meet the expectation that a URL will be there. This is very handy, be it for markup validation, for security, etc



Having said that, escaping is not validation, escaping is not sanitisation. Those are separate steps that happen at different points in the life cycle. Escaping forces things to meet expectations, even if it mangles them to do so.



Sometimes I like to think of escaping as one of those Japanese gameshows with the giant foam wall with the cut out. Contestants have to fit in the dog shape or they get discarded, only for our purposes there are lasers and knives around the hole. Whatever is left at the end will be dog shaped, and it will be unforgiving and strict if you're not already dog shaped.



Remember:



  • sanitise early

  • validate early

  • escape late

  • escape often

Security is a multiple step, multiple layer onion of defences, escaping is one of the outer layers of defence on output. It can mangle attack code on a compromised site rendering it useless, thwart open exploits, and make sure your client doesn't break a site by putting tags in a field they shouldn't. It's not a substitute for the other things, and it's by far and away the most underused security tool in a developers handbook.



As for why to escape if the_content doesn't? If you have a flood coming, and 5 holes in a wall, but only time to fix 3, do you shrug and fix none? Or do you mitigate the risk and reduce the attack area?



Perhaps I can help fix those final 2 holes with this snippet:



add_filter( 'the_content' function( $content ) 
return wp_kses_post( $content );
, PHP_INT_MAX + 1 );


Here we set the priority to the highest possible number in PHP, then add 1 so it overflows to the lowest possible number that can be represented. This way all calls to the_content will escape the value prior to any other filters. This way embeds etc still work, but users can't sneak in dangerous HTML via the database. Additionally, look into removing the unfiltered_html capability from all roles






share|improve this answer




















  • 1





    Thanks for the additional perspective. I had actually read your post on this subject on your site and had been wondering if you'd have anything to add.

    – tmdesigned
    Mar 27 at 16:30



















4














The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



The filters applied on the content, generate a valid HTML from something that is a mix of HTML and some other text which have some other syntax like shortcodes. The fact that some of the content is already valid HTML prevents applying escaping on all of it.



As for kses related functions, you can not apply them mainly because you do not have enough context to know which one to use. For example, there might be some process which uses the the_content filter to add JS to the post content therefor core can not guess based on things like the post author if the JS is legit or not.




So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




Again, escaping is for generating valid HTML. From a security POV it is not that escaping provides security but that a code which lucks escaping should be suspicious as it might be easier to exploit.
For example, the way core uses _e and '__` for translations means that anyone that can convince you to install a non-official translation might be able to add hard to detect JS in the translation file and hack your site.
This is a good example of "do what I say and not what I do".






share|improve this answer

























  • Thanks, Mark, for the additional perspective.

    – tmdesigned
    Mar 27 at 17:13


















2















If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




I think your question answers itself. If you were a hacker with access to the db, then you've already gained the access you require. Escaping output doesn't change that at all.



The reason for escaping output is evaluating untrusted data to avoid the hacker gaining that access in the first place.






share|improve this answer

























  • Thanks for your answer. I think I became too focused on the idea of preventing a hacker that I missed the forest for the trees.

    – tmdesigned
    Mar 27 at 13:24













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "110"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f332740%2fwhy-escape-if-the-content-isnt%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























4 Answers
4






active

oldest

votes








4 Answers
4






active

oldest

votes









active

oldest

votes






active

oldest

votes









9















If I were a hacker with access to the database, wouldn't I just add my
code to a post's content?




If you've got access to the database, chances are that you've got enough access that escaping isn't going to stop you. Escaping is not going to help you if you've been hacked. It's not supposed to. There's other reasons to escape. The two main ones that I can think of are:



To deal with unsanitized input



WordPress post content is sanitized when it's saved, but not everything else is. Content passed via a query string in the URL isn't sanitized, for example. Neither is content in translation files, necessarily. Both those are sources of content that have nothing to do with the site being compromised. So translatable text and content pulled from the URL need to be escaped.



To prevent users accidentally breaking markup



Escaping isn't just for security. You also need it to prevent users accidentally breaking their site's markup. For example, if the user placing quotes or > symbols in some content in your plugin would break the markup, then you should escape that output. You don't want to be over-aggressive in sanitising on input, because there's perfectly valid reasons a user might want to use those characters.





“Escaping isn’t only about protecting from bad guys. It’s just making
our software durable. Against random bad input, against malicious
input, or against bad weather.”




That's from the WordPress VIP guidelines on escaping. It has a lot more to say on this matter, and you should give it a read.






share|improve this answer

























  • Thank you, that is helpful. I had read a post on VIP about escaping and the author specifically mentioned the idea of someone having gained access to the DB but not the server. However I think your reasoning on that point makes more sense. And, I suppose, sometimes you are escaping vulnerable content from the database even without someone having had complete access to the database, i.e. via a plugin or even just a comment.

    – tmdesigned
    Mar 27 at 13:22















9















If I were a hacker with access to the database, wouldn't I just add my
code to a post's content?




If you've got access to the database, chances are that you've got enough access that escaping isn't going to stop you. Escaping is not going to help you if you've been hacked. It's not supposed to. There's other reasons to escape. The two main ones that I can think of are:



To deal with unsanitized input



WordPress post content is sanitized when it's saved, but not everything else is. Content passed via a query string in the URL isn't sanitized, for example. Neither is content in translation files, necessarily. Both those are sources of content that have nothing to do with the site being compromised. So translatable text and content pulled from the URL need to be escaped.



To prevent users accidentally breaking markup



Escaping isn't just for security. You also need it to prevent users accidentally breaking their site's markup. For example, if the user placing quotes or > symbols in some content in your plugin would break the markup, then you should escape that output. You don't want to be over-aggressive in sanitising on input, because there's perfectly valid reasons a user might want to use those characters.





“Escaping isn’t only about protecting from bad guys. It’s just making
our software durable. Against random bad input, against malicious
input, or against bad weather.”




That's from the WordPress VIP guidelines on escaping. It has a lot more to say on this matter, and you should give it a read.






share|improve this answer

























  • Thank you, that is helpful. I had read a post on VIP about escaping and the author specifically mentioned the idea of someone having gained access to the DB but not the server. However I think your reasoning on that point makes more sense. And, I suppose, sometimes you are escaping vulnerable content from the database even without someone having had complete access to the database, i.e. via a plugin or even just a comment.

    – tmdesigned
    Mar 27 at 13:22













9












9








9








If I were a hacker with access to the database, wouldn't I just add my
code to a post's content?




If you've got access to the database, chances are that you've got enough access that escaping isn't going to stop you. Escaping is not going to help you if you've been hacked. It's not supposed to. There's other reasons to escape. The two main ones that I can think of are:



To deal with unsanitized input



WordPress post content is sanitized when it's saved, but not everything else is. Content passed via a query string in the URL isn't sanitized, for example. Neither is content in translation files, necessarily. Both those are sources of content that have nothing to do with the site being compromised. So translatable text and content pulled from the URL need to be escaped.



To prevent users accidentally breaking markup



Escaping isn't just for security. You also need it to prevent users accidentally breaking their site's markup. For example, if the user placing quotes or > symbols in some content in your plugin would break the markup, then you should escape that output. You don't want to be over-aggressive in sanitising on input, because there's perfectly valid reasons a user might want to use those characters.





“Escaping isn’t only about protecting from bad guys. It’s just making
our software durable. Against random bad input, against malicious
input, or against bad weather.”




That's from the WordPress VIP guidelines on escaping. It has a lot more to say on this matter, and you should give it a read.






share|improve this answer














If I were a hacker with access to the database, wouldn't I just add my
code to a post's content?




If you've got access to the database, chances are that you've got enough access that escaping isn't going to stop you. Escaping is not going to help you if you've been hacked. It's not supposed to. There's other reasons to escape. The two main ones that I can think of are:



To deal with unsanitized input



WordPress post content is sanitized when it's saved, but not everything else is. Content passed via a query string in the URL isn't sanitized, for example. Neither is content in translation files, necessarily. Both those are sources of content that have nothing to do with the site being compromised. So translatable text and content pulled from the URL need to be escaped.



To prevent users accidentally breaking markup



Escaping isn't just for security. You also need it to prevent users accidentally breaking their site's markup. For example, if the user placing quotes or > symbols in some content in your plugin would break the markup, then you should escape that output. You don't want to be over-aggressive in sanitising on input, because there's perfectly valid reasons a user might want to use those characters.





“Escaping isn’t only about protecting from bad guys. It’s just making
our software durable. Against random bad input, against malicious
input, or against bad weather.”




That's from the WordPress VIP guidelines on escaping. It has a lot more to say on this matter, and you should give it a read.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 27 at 13:09









Jacob PeattieJacob Peattie

21.4k4 gold badges24 silver badges35 bronze badges




21.4k4 gold badges24 silver badges35 bronze badges















  • Thank you, that is helpful. I had read a post on VIP about escaping and the author specifically mentioned the idea of someone having gained access to the DB but not the server. However I think your reasoning on that point makes more sense. And, I suppose, sometimes you are escaping vulnerable content from the database even without someone having had complete access to the database, i.e. via a plugin or even just a comment.

    – tmdesigned
    Mar 27 at 13:22

















  • Thank you, that is helpful. I had read a post on VIP about escaping and the author specifically mentioned the idea of someone having gained access to the DB but not the server. However I think your reasoning on that point makes more sense. And, I suppose, sometimes you are escaping vulnerable content from the database even without someone having had complete access to the database, i.e. via a plugin or even just a comment.

    – tmdesigned
    Mar 27 at 13:22
















Thank you, that is helpful. I had read a post on VIP about escaping and the author specifically mentioned the idea of someone having gained access to the DB but not the server. However I think your reasoning on that point makes more sense. And, I suppose, sometimes you are escaping vulnerable content from the database even without someone having had complete access to the database, i.e. via a plugin or even just a comment.

– tmdesigned
Mar 27 at 13:22





Thank you, that is helpful. I had read a post on VIP about escaping and the author specifically mentioned the idea of someone having gained access to the DB but not the server. However I think your reasoning on that point makes more sense. And, I suppose, sometimes you are escaping vulnerable content from the database even without someone having had complete access to the database, i.e. via a plugin or even just a comment.

– tmdesigned
Mar 27 at 13:22













8














I'm actually an engineer at VIP who does a lot of code review :) I flag a lot of missing escaping.




but does not escape output




Not quite, it doesn't escape on output, which is surprising to most people. This is because if you're a super admin you have the unfiltered_html capability, so it can't escape on output. Instead it runs it through wp_kses_post on input. Ideally you would remove that capability though.



Here is the implementation at the current time:



function the_content( $more_link_text = null, $strip_teaser = false ) 
$content = get_the_content( $more_link_text, $strip_teaser );

/**
* Filters the post content.
*
* @since 0.71
*
* @param string $content Content of the current post.
*/
$content = apply_filters( 'the_content', $content );
$content = str_replace( ']]>', ']]&gt;', $content );
echo $content;



The ideal mechanism for escaping anything that goes through the_content filter on the other hand is:



echo apply_filters( 'the_content', wp_kses_post( $content ) );


This way we make the content safe, then run it through the filter, avoiding the embeds etc being stripped out.



So Why Escape




The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



To prevent users accidentally breaking markup




There are many reasons to escape, but fundamentally, you're enforcing expectations. Take the following code:



<a href="<?=$url?>">


We expect $url to contain a URL suitable for a href attribute, but what if it isn't? Well why leave it to chance, lets enforce it:



<a href="<?=esc_url( $url )?>">


It is now always going to be a URL. It doesn't matter if a hacker puts an image in $url, or if a user types in the wrong field, or there's a malicious script. It will always be a valid URL because we said it's going to be a URL. Sure it might be a very strange URL, but it will always meet the expectation that a URL will be there. This is very handy, be it for markup validation, for security, etc



Having said that, escaping is not validation, escaping is not sanitisation. Those are separate steps that happen at different points in the life cycle. Escaping forces things to meet expectations, even if it mangles them to do so.



Sometimes I like to think of escaping as one of those Japanese gameshows with the giant foam wall with the cut out. Contestants have to fit in the dog shape or they get discarded, only for our purposes there are lasers and knives around the hole. Whatever is left at the end will be dog shaped, and it will be unforgiving and strict if you're not already dog shaped.



Remember:



  • sanitise early

  • validate early

  • escape late

  • escape often

Security is a multiple step, multiple layer onion of defences, escaping is one of the outer layers of defence on output. It can mangle attack code on a compromised site rendering it useless, thwart open exploits, and make sure your client doesn't break a site by putting tags in a field they shouldn't. It's not a substitute for the other things, and it's by far and away the most underused security tool in a developers handbook.



As for why to escape if the_content doesn't? If you have a flood coming, and 5 holes in a wall, but only time to fix 3, do you shrug and fix none? Or do you mitigate the risk and reduce the attack area?



Perhaps I can help fix those final 2 holes with this snippet:



add_filter( 'the_content' function( $content ) 
return wp_kses_post( $content );
, PHP_INT_MAX + 1 );


Here we set the priority to the highest possible number in PHP, then add 1 so it overflows to the lowest possible number that can be represented. This way all calls to the_content will escape the value prior to any other filters. This way embeds etc still work, but users can't sneak in dangerous HTML via the database. Additionally, look into removing the unfiltered_html capability from all roles






share|improve this answer




















  • 1





    Thanks for the additional perspective. I had actually read your post on this subject on your site and had been wondering if you'd have anything to add.

    – tmdesigned
    Mar 27 at 16:30
















8














I'm actually an engineer at VIP who does a lot of code review :) I flag a lot of missing escaping.




but does not escape output




Not quite, it doesn't escape on output, which is surprising to most people. This is because if you're a super admin you have the unfiltered_html capability, so it can't escape on output. Instead it runs it through wp_kses_post on input. Ideally you would remove that capability though.



Here is the implementation at the current time:



function the_content( $more_link_text = null, $strip_teaser = false ) 
$content = get_the_content( $more_link_text, $strip_teaser );

/**
* Filters the post content.
*
* @since 0.71
*
* @param string $content Content of the current post.
*/
$content = apply_filters( 'the_content', $content );
$content = str_replace( ']]>', ']]&gt;', $content );
echo $content;



The ideal mechanism for escaping anything that goes through the_content filter on the other hand is:



echo apply_filters( 'the_content', wp_kses_post( $content ) );


This way we make the content safe, then run it through the filter, avoiding the embeds etc being stripped out.



So Why Escape




The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



To prevent users accidentally breaking markup




There are many reasons to escape, but fundamentally, you're enforcing expectations. Take the following code:



<a href="<?=$url?>">


We expect $url to contain a URL suitable for a href attribute, but what if it isn't? Well why leave it to chance, lets enforce it:



<a href="<?=esc_url( $url )?>">


It is now always going to be a URL. It doesn't matter if a hacker puts an image in $url, or if a user types in the wrong field, or there's a malicious script. It will always be a valid URL because we said it's going to be a URL. Sure it might be a very strange URL, but it will always meet the expectation that a URL will be there. This is very handy, be it for markup validation, for security, etc



Having said that, escaping is not validation, escaping is not sanitisation. Those are separate steps that happen at different points in the life cycle. Escaping forces things to meet expectations, even if it mangles them to do so.



Sometimes I like to think of escaping as one of those Japanese gameshows with the giant foam wall with the cut out. Contestants have to fit in the dog shape or they get discarded, only for our purposes there are lasers and knives around the hole. Whatever is left at the end will be dog shaped, and it will be unforgiving and strict if you're not already dog shaped.



Remember:



  • sanitise early

  • validate early

  • escape late

  • escape often

Security is a multiple step, multiple layer onion of defences, escaping is one of the outer layers of defence on output. It can mangle attack code on a compromised site rendering it useless, thwart open exploits, and make sure your client doesn't break a site by putting tags in a field they shouldn't. It's not a substitute for the other things, and it's by far and away the most underused security tool in a developers handbook.



As for why to escape if the_content doesn't? If you have a flood coming, and 5 holes in a wall, but only time to fix 3, do you shrug and fix none? Or do you mitigate the risk and reduce the attack area?



Perhaps I can help fix those final 2 holes with this snippet:



add_filter( 'the_content' function( $content ) 
return wp_kses_post( $content );
, PHP_INT_MAX + 1 );


Here we set the priority to the highest possible number in PHP, then add 1 so it overflows to the lowest possible number that can be represented. This way all calls to the_content will escape the value prior to any other filters. This way embeds etc still work, but users can't sneak in dangerous HTML via the database. Additionally, look into removing the unfiltered_html capability from all roles






share|improve this answer




















  • 1





    Thanks for the additional perspective. I had actually read your post on this subject on your site and had been wondering if you'd have anything to add.

    – tmdesigned
    Mar 27 at 16:30














8












8








8







I'm actually an engineer at VIP who does a lot of code review :) I flag a lot of missing escaping.




but does not escape output




Not quite, it doesn't escape on output, which is surprising to most people. This is because if you're a super admin you have the unfiltered_html capability, so it can't escape on output. Instead it runs it through wp_kses_post on input. Ideally you would remove that capability though.



Here is the implementation at the current time:



function the_content( $more_link_text = null, $strip_teaser = false ) 
$content = get_the_content( $more_link_text, $strip_teaser );

/**
* Filters the post content.
*
* @since 0.71
*
* @param string $content Content of the current post.
*/
$content = apply_filters( 'the_content', $content );
$content = str_replace( ']]>', ']]&gt;', $content );
echo $content;



The ideal mechanism for escaping anything that goes through the_content filter on the other hand is:



echo apply_filters( 'the_content', wp_kses_post( $content ) );


This way we make the content safe, then run it through the filter, avoiding the embeds etc being stripped out.



So Why Escape




The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



To prevent users accidentally breaking markup




There are many reasons to escape, but fundamentally, you're enforcing expectations. Take the following code:



<a href="<?=$url?>">


We expect $url to contain a URL suitable for a href attribute, but what if it isn't? Well why leave it to chance, lets enforce it:



<a href="<?=esc_url( $url )?>">


It is now always going to be a URL. It doesn't matter if a hacker puts an image in $url, or if a user types in the wrong field, or there's a malicious script. It will always be a valid URL because we said it's going to be a URL. Sure it might be a very strange URL, but it will always meet the expectation that a URL will be there. This is very handy, be it for markup validation, for security, etc



Having said that, escaping is not validation, escaping is not sanitisation. Those are separate steps that happen at different points in the life cycle. Escaping forces things to meet expectations, even if it mangles them to do so.



Sometimes I like to think of escaping as one of those Japanese gameshows with the giant foam wall with the cut out. Contestants have to fit in the dog shape or they get discarded, only for our purposes there are lasers and knives around the hole. Whatever is left at the end will be dog shaped, and it will be unforgiving and strict if you're not already dog shaped.



Remember:



  • sanitise early

  • validate early

  • escape late

  • escape often

Security is a multiple step, multiple layer onion of defences, escaping is one of the outer layers of defence on output. It can mangle attack code on a compromised site rendering it useless, thwart open exploits, and make sure your client doesn't break a site by putting tags in a field they shouldn't. It's not a substitute for the other things, and it's by far and away the most underused security tool in a developers handbook.



As for why to escape if the_content doesn't? If you have a flood coming, and 5 holes in a wall, but only time to fix 3, do you shrug and fix none? Or do you mitigate the risk and reduce the attack area?



Perhaps I can help fix those final 2 holes with this snippet:



add_filter( 'the_content' function( $content ) 
return wp_kses_post( $content );
, PHP_INT_MAX + 1 );


Here we set the priority to the highest possible number in PHP, then add 1 so it overflows to the lowest possible number that can be represented. This way all calls to the_content will escape the value prior to any other filters. This way embeds etc still work, but users can't sneak in dangerous HTML via the database. Additionally, look into removing the unfiltered_html capability from all roles






share|improve this answer













I'm actually an engineer at VIP who does a lot of code review :) I flag a lot of missing escaping.




but does not escape output




Not quite, it doesn't escape on output, which is surprising to most people. This is because if you're a super admin you have the unfiltered_html capability, so it can't escape on output. Instead it runs it through wp_kses_post on input. Ideally you would remove that capability though.



Here is the implementation at the current time:



function the_content( $more_link_text = null, $strip_teaser = false ) 
$content = get_the_content( $more_link_text, $strip_teaser );

/**
* Filters the post content.
*
* @since 0.71
*
* @param string $content Content of the current post.
*/
$content = apply_filters( 'the_content', $content );
$content = str_replace( ']]>', ']]&gt;', $content );
echo $content;



The ideal mechanism for escaping anything that goes through the_content filter on the other hand is:



echo apply_filters( 'the_content', wp_kses_post( $content ) );


This way we make the content safe, then run it through the filter, avoiding the embeds etc being stripped out.



So Why Escape




The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



To prevent users accidentally breaking markup




There are many reasons to escape, but fundamentally, you're enforcing expectations. Take the following code:



<a href="<?=$url?>">


We expect $url to contain a URL suitable for a href attribute, but what if it isn't? Well why leave it to chance, lets enforce it:



<a href="<?=esc_url( $url )?>">


It is now always going to be a URL. It doesn't matter if a hacker puts an image in $url, or if a user types in the wrong field, or there's a malicious script. It will always be a valid URL because we said it's going to be a URL. Sure it might be a very strange URL, but it will always meet the expectation that a URL will be there. This is very handy, be it for markup validation, for security, etc



Having said that, escaping is not validation, escaping is not sanitisation. Those are separate steps that happen at different points in the life cycle. Escaping forces things to meet expectations, even if it mangles them to do so.



Sometimes I like to think of escaping as one of those Japanese gameshows with the giant foam wall with the cut out. Contestants have to fit in the dog shape or they get discarded, only for our purposes there are lasers and knives around the hole. Whatever is left at the end will be dog shaped, and it will be unforgiving and strict if you're not already dog shaped.



Remember:



  • sanitise early

  • validate early

  • escape late

  • escape often

Security is a multiple step, multiple layer onion of defences, escaping is one of the outer layers of defence on output. It can mangle attack code on a compromised site rendering it useless, thwart open exploits, and make sure your client doesn't break a site by putting tags in a field they shouldn't. It's not a substitute for the other things, and it's by far and away the most underused security tool in a developers handbook.



As for why to escape if the_content doesn't? If you have a flood coming, and 5 holes in a wall, but only time to fix 3, do you shrug and fix none? Or do you mitigate the risk and reduce the attack area?



Perhaps I can help fix those final 2 holes with this snippet:



add_filter( 'the_content' function( $content ) 
return wp_kses_post( $content );
, PHP_INT_MAX + 1 );


Here we set the priority to the highest possible number in PHP, then add 1 so it overflows to the lowest possible number that can be represented. This way all calls to the_content will escape the value prior to any other filters. This way embeds etc still work, but users can't sneak in dangerous HTML via the database. Additionally, look into removing the unfiltered_html capability from all roles







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 27 at 15:46









Tom J NowellTom J Nowell

34.5k4 gold badges51 silver badges104 bronze badges




34.5k4 gold badges51 silver badges104 bronze badges










  • 1





    Thanks for the additional perspective. I had actually read your post on this subject on your site and had been wondering if you'd have anything to add.

    – tmdesigned
    Mar 27 at 16:30













  • 1





    Thanks for the additional perspective. I had actually read your post on this subject on your site and had been wondering if you'd have anything to add.

    – tmdesigned
    Mar 27 at 16:30








1




1





Thanks for the additional perspective. I had actually read your post on this subject on your site and had been wondering if you'd have anything to add.

– tmdesigned
Mar 27 at 16:30






Thanks for the additional perspective. I had actually read your post on this subject on your site and had been wondering if you'd have anything to add.

– tmdesigned
Mar 27 at 16:30












4














The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



The filters applied on the content, generate a valid HTML from something that is a mix of HTML and some other text which have some other syntax like shortcodes. The fact that some of the content is already valid HTML prevents applying escaping on all of it.



As for kses related functions, you can not apply them mainly because you do not have enough context to know which one to use. For example, there might be some process which uses the the_content filter to add JS to the post content therefor core can not guess based on things like the post author if the JS is legit or not.




So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




Again, escaping is for generating valid HTML. From a security POV it is not that escaping provides security but that a code which lucks escaping should be suspicious as it might be easier to exploit.
For example, the way core uses _e and '__` for translations means that anyone that can convince you to install a non-official translation might be able to add hard to detect JS in the translation file and hack your site.
This is a good example of "do what I say and not what I do".






share|improve this answer

























  • Thanks, Mark, for the additional perspective.

    – tmdesigned
    Mar 27 at 17:13















4














The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



The filters applied on the content, generate a valid HTML from something that is a mix of HTML and some other text which have some other syntax like shortcodes. The fact that some of the content is already valid HTML prevents applying escaping on all of it.



As for kses related functions, you can not apply them mainly because you do not have enough context to know which one to use. For example, there might be some process which uses the the_content filter to add JS to the post content therefor core can not guess based on things like the post author if the JS is legit or not.




So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




Again, escaping is for generating valid HTML. From a security POV it is not that escaping provides security but that a code which lucks escaping should be suspicious as it might be easier to exploit.
For example, the way core uses _e and '__` for translations means that anyone that can convince you to install a non-official translation might be able to add hard to detect JS in the translation file and hack your site.
This is a good example of "do what I say and not what I do".






share|improve this answer

























  • Thanks, Mark, for the additional perspective.

    – tmdesigned
    Mar 27 at 17:13













4












4








4







The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



The filters applied on the content, generate a valid HTML from something that is a mix of HTML and some other text which have some other syntax like shortcodes. The fact that some of the content is already valid HTML prevents applying escaping on all of it.



As for kses related functions, you can not apply them mainly because you do not have enough context to know which one to use. For example, there might be some process which uses the the_content filter to add JS to the post content therefor core can not guess based on things like the post author if the JS is legit or not.




So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




Again, escaping is for generating valid HTML. From a security POV it is not that escaping provides security but that a code which lucks escaping should be suspicious as it might be easier to exploit.
For example, the way core uses _e and '__` for translations means that anyone that can convince you to install a non-official translation might be able to add hard to detect JS in the translation file and hack your site.
This is a good example of "do what I say and not what I do".






share|improve this answer













The point of escaping is to generate valid HTML, the added security it provides is just a nice side effect.



The filters applied on the content, generate a valid HTML from something that is a mix of HTML and some other text which have some other syntax like shortcodes. The fact that some of the content is already valid HTML prevents applying escaping on all of it.



As for kses related functions, you can not apply them mainly because you do not have enough context to know which one to use. For example, there might be some process which uses the the_content filter to add JS to the post content therefor core can not guess based on things like the post author if the JS is legit or not.




So...why is it helping anything to escape elsewhere? If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




Again, escaping is for generating valid HTML. From a security POV it is not that escaping provides security but that a code which lucks escaping should be suspicious as it might be easier to exploit.
For example, the way core uses _e and '__` for translations means that anyone that can convince you to install a non-official translation might be able to add hard to detect JS in the translation file and hack your site.
This is a good example of "do what I say and not what I do".







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 27 at 13:30









Mark KaplunMark Kaplun

20.3k5 gold badges30 silver badges57 bronze badges




20.3k5 gold badges30 silver badges57 bronze badges















  • Thanks, Mark, for the additional perspective.

    – tmdesigned
    Mar 27 at 17:13

















  • Thanks, Mark, for the additional perspective.

    – tmdesigned
    Mar 27 at 17:13
















Thanks, Mark, for the additional perspective.

– tmdesigned
Mar 27 at 17:13





Thanks, Mark, for the additional perspective.

– tmdesigned
Mar 27 at 17:13











2















If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




I think your question answers itself. If you were a hacker with access to the db, then you've already gained the access you require. Escaping output doesn't change that at all.



The reason for escaping output is evaluating untrusted data to avoid the hacker gaining that access in the first place.






share|improve this answer

























  • Thanks for your answer. I think I became too focused on the idea of preventing a hacker that I missed the forest for the trees.

    – tmdesigned
    Mar 27 at 13:24















2















If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




I think your question answers itself. If you were a hacker with access to the db, then you've already gained the access you require. Escaping output doesn't change that at all.



The reason for escaping output is evaluating untrusted data to avoid the hacker gaining that access in the first place.






share|improve this answer

























  • Thanks for your answer. I think I became too focused on the idea of preventing a hacker that I missed the forest for the trees.

    – tmdesigned
    Mar 27 at 13:24













2












2








2








If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




I think your question answers itself. If you were a hacker with access to the db, then you've already gained the access you require. Escaping output doesn't change that at all.



The reason for escaping output is evaluating untrusted data to avoid the hacker gaining that access in the first place.






share|improve this answer














If I were a hacker with access to the database, wouldn't I just add my code to a post's content?




I think your question answers itself. If you were a hacker with access to the db, then you've already gained the access you require. Escaping output doesn't change that at all.



The reason for escaping output is evaluating untrusted data to avoid the hacker gaining that access in the first place.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 27 at 13:06









butlerblogbutlerblog

2,3872 gold badges15 silver badges29 bronze badges




2,3872 gold badges15 silver badges29 bronze badges















  • Thanks for your answer. I think I became too focused on the idea of preventing a hacker that I missed the forest for the trees.

    – tmdesigned
    Mar 27 at 13:24

















  • Thanks for your answer. I think I became too focused on the idea of preventing a hacker that I missed the forest for the trees.

    – tmdesigned
    Mar 27 at 13:24
















Thanks for your answer. I think I became too focused on the idea of preventing a hacker that I missed the forest for the trees.

– tmdesigned
Mar 27 at 13:24





Thanks for your answer. I think I became too focused on the idea of preventing a hacker that I missed the forest for the trees.

– tmdesigned
Mar 27 at 13:24

















draft saved

draft discarded
















































Thanks for contributing an answer to WordPress Development Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f332740%2fwhy-escape-if-the-content-isnt%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

SQL error code 1064 with creating Laravel foreign keysForeign key constraints: When to use ON UPDATE and ON DELETEDropping column with foreign key Laravel error: General error: 1025 Error on renameLaravel SQL Can't create tableLaravel Migration foreign key errorLaravel php artisan migrate:refresh giving a syntax errorSQLSTATE[42S01]: Base table or view already exists or Base table or view already exists: 1050 Tableerror in migrating laravel file to xampp serverSyntax error or access violation: 1064:syntax to use near 'unsigned not null, modelName varchar(191) not null, title varchar(191) not nLaravel cannot create new table field in mysqlLaravel 5.7:Last migration creates table but is not registered in the migration table

은진 송씨 목차 역사 본관 분파 인물 조선 왕실과의 인척 관계 집성촌 항렬자 인구 같이 보기 각주 둘러보기 메뉴은진 송씨세종실록 149권, 지리지 충청도 공주목 은진현