Should messages in WP_Error already be html escaped?












2















This isn't about what html escaping is or how it's done, but if there's an established best practice about when to do it.



I have some utility code in my plugin that may generate a WP_Error based on user input, and other display code that shows that WP_Error. Of course that user input needs to be html escaped when displaying, but I'm not sure when would be the best time to do it.



I have a choice about whether to:




  • Escape the message as I'm constructing the WP_Error, and the display code shows it as-is.


  • Don't worry about escaping when constructing the WP_Error, and in the display code fully escape all the WP_Error messages.



Either would work, but if my plugin ends up interacting with other plugins and possibly displaying their WP_Error or vice-versa, I'd like to match whatever precedent exists in the Wordpress world.



I had hoped the documentation would address this, but I didn't see anything on https://codex.wordpress.org/Class_Reference/WP_Error










share|improve this question









New contributor




Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    2















    This isn't about what html escaping is or how it's done, but if there's an established best practice about when to do it.



    I have some utility code in my plugin that may generate a WP_Error based on user input, and other display code that shows that WP_Error. Of course that user input needs to be html escaped when displaying, but I'm not sure when would be the best time to do it.



    I have a choice about whether to:




    • Escape the message as I'm constructing the WP_Error, and the display code shows it as-is.


    • Don't worry about escaping when constructing the WP_Error, and in the display code fully escape all the WP_Error messages.



    Either would work, but if my plugin ends up interacting with other plugins and possibly displaying their WP_Error or vice-versa, I'd like to match whatever precedent exists in the Wordpress world.



    I had hoped the documentation would address this, but I didn't see anything on https://codex.wordpress.org/Class_Reference/WP_Error










    share|improve this question









    New contributor




    Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      2












      2








      2








      This isn't about what html escaping is or how it's done, but if there's an established best practice about when to do it.



      I have some utility code in my plugin that may generate a WP_Error based on user input, and other display code that shows that WP_Error. Of course that user input needs to be html escaped when displaying, but I'm not sure when would be the best time to do it.



      I have a choice about whether to:




      • Escape the message as I'm constructing the WP_Error, and the display code shows it as-is.


      • Don't worry about escaping when constructing the WP_Error, and in the display code fully escape all the WP_Error messages.



      Either would work, but if my plugin ends up interacting with other plugins and possibly displaying their WP_Error or vice-versa, I'd like to match whatever precedent exists in the Wordpress world.



      I had hoped the documentation would address this, but I didn't see anything on https://codex.wordpress.org/Class_Reference/WP_Error










      share|improve this question









      New contributor




      Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      This isn't about what html escaping is or how it's done, but if there's an established best practice about when to do it.



      I have some utility code in my plugin that may generate a WP_Error based on user input, and other display code that shows that WP_Error. Of course that user input needs to be html escaped when displaying, but I'm not sure when would be the best time to do it.



      I have a choice about whether to:




      • Escape the message as I'm constructing the WP_Error, and the display code shows it as-is.


      • Don't worry about escaping when constructing the WP_Error, and in the display code fully escape all the WP_Error messages.



      Either would work, but if my plugin ends up interacting with other plugins and possibly displaying their WP_Error or vice-versa, I'd like to match whatever precedent exists in the Wordpress world.



      I had hoped the documentation would address this, but I didn't see anything on https://codex.wordpress.org/Class_Reference/WP_Error







      plugins errors escaping






      share|improve this question









      New contributor




      Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 9 hours ago







      Jason Viers













      New contributor




      Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 9 hours ago









      Jason ViersJason Viers

      1112




      1112




      New contributor




      Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Jason Viers is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          3 Answers
          3






          active

          oldest

          votes


















          2














          No, escaping should happen at the moment of output ( late escaping ) so that we know that it only occurs once. Double escaping can allow specially crafted output to break out.



          Since WP_Error does not output, and is not responsible for outputting, it should not perform any escaping internally, nor should its inputs be escaped. Validated/sanitised perhaps, but not escaped.



          If we did escape on input, we would either have to double escape, or trust all WP_Error objects, which is a non-starter.



          So instead, the code that recieves and outputs the WP_Error object is where the escaping should be, that way we escape on output safe in the knowledge that no early escaping has occurred, no double escaping happens, wether it's been escaped is not a problem we have to deal with, and the responsibility for escaping is clear and straight forward






          share|improve this answer































            1














            It's a very good question.



            WP_Error class doesn't do anything with messages you set. So what you set is what you get ;)



            On the other hand, the error messages can contain HTML, so you can't escape all of them, when printing errors. For example here you get a message from wp-login.php file:



            $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or email address.'));


            And to make things even harder - as you can see - it's passed through __() function, so after translation the message may contain even more HTML tags.



            All of that means that you should take care of escaping data that may be harmful and remember that errors can contain HTML tags when printing them.






            share|improve this answer































              0














              Personally, I'd keep the error messages basically plain text and static (don't include the user's input) - from what I've seen, most plugins take this mindset of error messages being short text-only notes of what has gone wrong. This allows you to use messages like "Password is too short" vs "'MyPass' is to short of a password".



              If you need some HTML in the error message itself, I'd escape it on the way in.



              $error = new WP_Error();

              $message = "The correct tag is <strong></strong>";
              $html_ok_message = htmlspecialchars($message);

              $error->add($code, $html_ok_message, $data);


              You could escape them on the way out if you know all the possible errors encountered have no HTML that needs to be displayed. If you escape them all always when outputting, you'll likely end up with things like &lt;strong;Error&gt; Something went wrong in XY_Other_plugin .






              share|improve this answer























                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "110"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: false,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: null,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });






                Jason Viers is a new contributor. Be nice, and check out our Code of Conduct.










                draft saved

                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f325478%2fshould-messages-in-wp-error-already-be-html-escaped%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                3 Answers
                3






                active

                oldest

                votes








                3 Answers
                3






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                2














                No, escaping should happen at the moment of output ( late escaping ) so that we know that it only occurs once. Double escaping can allow specially crafted output to break out.



                Since WP_Error does not output, and is not responsible for outputting, it should not perform any escaping internally, nor should its inputs be escaped. Validated/sanitised perhaps, but not escaped.



                If we did escape on input, we would either have to double escape, or trust all WP_Error objects, which is a non-starter.



                So instead, the code that recieves and outputs the WP_Error object is where the escaping should be, that way we escape on output safe in the knowledge that no early escaping has occurred, no double escaping happens, wether it's been escaped is not a problem we have to deal with, and the responsibility for escaping is clear and straight forward






                share|improve this answer




























                  2














                  No, escaping should happen at the moment of output ( late escaping ) so that we know that it only occurs once. Double escaping can allow specially crafted output to break out.



                  Since WP_Error does not output, and is not responsible for outputting, it should not perform any escaping internally, nor should its inputs be escaped. Validated/sanitised perhaps, but not escaped.



                  If we did escape on input, we would either have to double escape, or trust all WP_Error objects, which is a non-starter.



                  So instead, the code that recieves and outputs the WP_Error object is where the escaping should be, that way we escape on output safe in the knowledge that no early escaping has occurred, no double escaping happens, wether it's been escaped is not a problem we have to deal with, and the responsibility for escaping is clear and straight forward






                  share|improve this answer


























                    2












                    2








                    2







                    No, escaping should happen at the moment of output ( late escaping ) so that we know that it only occurs once. Double escaping can allow specially crafted output to break out.



                    Since WP_Error does not output, and is not responsible for outputting, it should not perform any escaping internally, nor should its inputs be escaped. Validated/sanitised perhaps, but not escaped.



                    If we did escape on input, we would either have to double escape, or trust all WP_Error objects, which is a non-starter.



                    So instead, the code that recieves and outputs the WP_Error object is where the escaping should be, that way we escape on output safe in the knowledge that no early escaping has occurred, no double escaping happens, wether it's been escaped is not a problem we have to deal with, and the responsibility for escaping is clear and straight forward






                    share|improve this answer













                    No, escaping should happen at the moment of output ( late escaping ) so that we know that it only occurs once. Double escaping can allow specially crafted output to break out.



                    Since WP_Error does not output, and is not responsible for outputting, it should not perform any escaping internally, nor should its inputs be escaped. Validated/sanitised perhaps, but not escaped.



                    If we did escape on input, we would either have to double escape, or trust all WP_Error objects, which is a non-starter.



                    So instead, the code that recieves and outputs the WP_Error object is where the escaping should be, that way we escape on output safe in the knowledge that no early escaping has occurred, no double escaping happens, wether it's been escaped is not a problem we have to deal with, and the responsibility for escaping is clear and straight forward







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 4 hours ago









                    Tom J NowellTom J Nowell

                    32.1k44796




                    32.1k44796

























                        1














                        It's a very good question.



                        WP_Error class doesn't do anything with messages you set. So what you set is what you get ;)



                        On the other hand, the error messages can contain HTML, so you can't escape all of them, when printing errors. For example here you get a message from wp-login.php file:



                        $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or email address.'));


                        And to make things even harder - as you can see - it's passed through __() function, so after translation the message may contain even more HTML tags.



                        All of that means that you should take care of escaping data that may be harmful and remember that errors can contain HTML tags when printing them.






                        share|improve this answer




























                          1














                          It's a very good question.



                          WP_Error class doesn't do anything with messages you set. So what you set is what you get ;)



                          On the other hand, the error messages can contain HTML, so you can't escape all of them, when printing errors. For example here you get a message from wp-login.php file:



                          $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or email address.'));


                          And to make things even harder - as you can see - it's passed through __() function, so after translation the message may contain even more HTML tags.



                          All of that means that you should take care of escaping data that may be harmful and remember that errors can contain HTML tags when printing them.






                          share|improve this answer


























                            1












                            1








                            1







                            It's a very good question.



                            WP_Error class doesn't do anything with messages you set. So what you set is what you get ;)



                            On the other hand, the error messages can contain HTML, so you can't escape all of them, when printing errors. For example here you get a message from wp-login.php file:



                            $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or email address.'));


                            And to make things even harder - as you can see - it's passed through __() function, so after translation the message may contain even more HTML tags.



                            All of that means that you should take care of escaping data that may be harmful and remember that errors can contain HTML tags when printing them.






                            share|improve this answer













                            It's a very good question.



                            WP_Error class doesn't do anything with messages you set. So what you set is what you get ;)



                            On the other hand, the error messages can contain HTML, so you can't escape all of them, when printing errors. For example here you get a message from wp-login.php file:



                            $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or email address.'));


                            And to make things even harder - as you can see - it's passed through __() function, so after translation the message may contain even more HTML tags.



                            All of that means that you should take care of escaping data that may be harmful and remember that errors can contain HTML tags when printing them.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered 7 hours ago









                            Krzysiek DróżdżKrzysiek Dróżdż

                            14.4k52742




                            14.4k52742























                                0














                                Personally, I'd keep the error messages basically plain text and static (don't include the user's input) - from what I've seen, most plugins take this mindset of error messages being short text-only notes of what has gone wrong. This allows you to use messages like "Password is too short" vs "'MyPass' is to short of a password".



                                If you need some HTML in the error message itself, I'd escape it on the way in.



                                $error = new WP_Error();

                                $message = "The correct tag is <strong></strong>";
                                $html_ok_message = htmlspecialchars($message);

                                $error->add($code, $html_ok_message, $data);


                                You could escape them on the way out if you know all the possible errors encountered have no HTML that needs to be displayed. If you escape them all always when outputting, you'll likely end up with things like &lt;strong;Error&gt; Something went wrong in XY_Other_plugin .






                                share|improve this answer




























                                  0














                                  Personally, I'd keep the error messages basically plain text and static (don't include the user's input) - from what I've seen, most plugins take this mindset of error messages being short text-only notes of what has gone wrong. This allows you to use messages like "Password is too short" vs "'MyPass' is to short of a password".



                                  If you need some HTML in the error message itself, I'd escape it on the way in.



                                  $error = new WP_Error();

                                  $message = "The correct tag is <strong></strong>";
                                  $html_ok_message = htmlspecialchars($message);

                                  $error->add($code, $html_ok_message, $data);


                                  You could escape them on the way out if you know all the possible errors encountered have no HTML that needs to be displayed. If you escape them all always when outputting, you'll likely end up with things like &lt;strong;Error&gt; Something went wrong in XY_Other_plugin .






                                  share|improve this answer


























                                    0












                                    0








                                    0







                                    Personally, I'd keep the error messages basically plain text and static (don't include the user's input) - from what I've seen, most plugins take this mindset of error messages being short text-only notes of what has gone wrong. This allows you to use messages like "Password is too short" vs "'MyPass' is to short of a password".



                                    If you need some HTML in the error message itself, I'd escape it on the way in.



                                    $error = new WP_Error();

                                    $message = "The correct tag is <strong></strong>";
                                    $html_ok_message = htmlspecialchars($message);

                                    $error->add($code, $html_ok_message, $data);


                                    You could escape them on the way out if you know all the possible errors encountered have no HTML that needs to be displayed. If you escape them all always when outputting, you'll likely end up with things like &lt;strong;Error&gt; Something went wrong in XY_Other_plugin .






                                    share|improve this answer













                                    Personally, I'd keep the error messages basically plain text and static (don't include the user's input) - from what I've seen, most plugins take this mindset of error messages being short text-only notes of what has gone wrong. This allows you to use messages like "Password is too short" vs "'MyPass' is to short of a password".



                                    If you need some HTML in the error message itself, I'd escape it on the way in.



                                    $error = new WP_Error();

                                    $message = "The correct tag is <strong></strong>";
                                    $html_ok_message = htmlspecialchars($message);

                                    $error->add($code, $html_ok_message, $data);


                                    You could escape them on the way out if you know all the possible errors encountered have no HTML that needs to be displayed. If you escape them all always when outputting, you'll likely end up with things like &lt;strong;Error&gt; Something went wrong in XY_Other_plugin .







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered 7 hours ago









                                    DACrosbyDACrosby

                                    29817




                                    29817






















                                        Jason Viers is a new contributor. Be nice, and check out our Code of Conduct.










                                        draft saved

                                        draft discarded


















                                        Jason Viers is a new contributor. Be nice, and check out our Code of Conduct.













                                        Jason Viers is a new contributor. Be nice, and check out our Code of Conduct.












                                        Jason Viers is a new contributor. Be nice, and check out our Code of Conduct.
















                                        Thanks for contributing an answer to WordPress Development Stack Exchange!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f325478%2fshould-messages-in-wp-error-already-be-html-escaped%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        Eastern Orthodox Church

                                        Zagreb

                                        Understanding the information contained in the Deep Space Network XML data?