'; echo ent2ncr( $text ); // Bad. echo number_format( 1024 ); echo ent2ncr( esc_html( $_data ) ); echo $foo ? $foo : 'no foo'; // Bad. echo empty( $foo ) ? 'no foo' : $foo; // Bad. echo $foo ? esc_html( $foo ) : 'no foo'; // Ok. echo 4; // Ok. exit( $foo ); // Bad. exit( esc_html( $foo ) ); // Ok. die( $foo ); // Bad. die( esc_html( $foo ) ); // Ok. printf( 'Hello %s', $foo ); // Bad. printf( 'Hello %s', esc_html( $foo ) ); // Ok. printf( 'Hello %s! Hi %s!', esc_html( $foo ), $bar ); // Bad. vprintf( 'Hello %s', array( $foo ) ); // Bad. vprintf( 'Hello %s', array( esc_html( $foo ) ) ); // Ok. // The below checks that functions which are marked as needed further sanitization // don't spill over into later arguments when nested in a function call. There was // a bug which would cause line 84 to be marked as needing sanitization because _x() // is marked as needing sanitization. do_something( _x( 'Some string', 'context', 'domain' ) , array( $foo ) // Ok. ); // There was a bug where an empty exit followed by other code would give an error. if ( ! defined( 'ABSPATH' ) ) { exit; // Ok. } else { other(); } printf( /* translators: this comment is just for you. */ esc_html__( 'Hello %s.', 'domain' ) , 'world' // There were other long arguments down here "in real life", which is why this was multi-line. ); wp_die( $message ); // Bad. wp_die( esc_html( $message ) ); // Ok. wp_die( esc_html( $message ), $title ); // Bad. wp_die( esc_html( $message ), esc_html( $title ) ); // Ok. wp_die( esc_html( $message ), '', array( 'back_link' => true ) ); // Ok. wp_die( esc_html( $message ), '', array( 'back_link' => false ) ); // Ok. wp_die( esc_html( $message ), '', array( 'response' => 200 ) ); // Ok. echo '

', esc_html( $foo ), '

'; // Ok. echo 'a', 'b'; // Ok. echo 'Hello, ', $foo; // Bad. echo esc_html( $foo ), $bar; // Bad. echo (int) $foo, $bar; // Bad. echo (int) get_post_meta( $post_id, SOME_NUMBER, true ), do_something( $else ); // Bad. wp_die( -1 ); // Ok. ?>

' . sprintf( esc_html__( 'Some text -> %sLink text%s', 'textdomain' ), '', '' ). '

'; // Ok. echo '
' . sprintf( esc_html__( 'Found %d results', 'textdomain' ), (int) $result_count ) . '

'; // Ok. echo sprintf( 'Hello %s', $foo ); // Bad. echo sprintf( 'Hello %s', esc_html( $foo ) ); // Ok. echo sprintf( 'Hello %s! Hi %s!', esc_html( $foo ), $bar ); // Bad. echo vsprintf( 'Hello %s', array( $foo ) ); // Bad. echo vsprintf( 'Hello %s', array( esc_html( $foo ) ) ); // Ok. echo sprintf( __( 'Welcome to Genesis %s', 'genesis' ), PARENT_THEME_BRANCH ); // Bad x 2. echo sprintf( esc_html__( 'Welcome to Genesis %s', 'genesis' ), esc_html( PARENT_THEME_BRANCH ) ); // Ok. echo esc_html( strval( $_var ) ? $_var : gettype( $_var ) ); // Ok. echo ( $is_hidden ) ? ' style="display:none;"' : ''; // Ok. echo sprintf( 'Howdy, %s', esc_html( $name ? $name : __( 'Partner' ) ) ); // Ok. _e( 'Something' ); // Bad. esc_html_e( 'Something' ); // Ok. echo $something // Bad. . esc_attr( 'baz-' // Rest is OK. . $r . ( $r === $active_round ? ' foo' : '' ) . ( $r < $active_round ? ' bar' : '' ) ) . 'something'; echo implode( '
', $items ); // Bad. echo implode( '
', urlencode_deep( $items ) ); // Ok. echo implode( '
', array_map( 'esc_html', $items ) ); // Ok. echo implode( '
', array_map( 'foo', $items ) ); // Bad. echo join( '
', $items ); // Bad. echo join( '
', array_map( 'esc_html', $items ) ); // Ok. echo ''; _deprecated_hook( 'some_filter', '1.3.0', esc_html__( 'The $arg is deprecated.' ), 'some_other_filter' ); // Ok. _deprecated_hook( "filter_{$context}", '1.3.0', __( 'The $arg is deprecated.' ), sprintf( __( 'Some parsed message %s', $variable ) ) ); // Bad. echo add_filter( get_the_excerpt( get_the_ID() ) ; // Bad, but ignored as code contains a parse error. /* * Test using custom properties, setting & unsetting (resetting). */ // @codingStandardsChangeSetting WordPress.XSS.EscapeOutput customPrintingFunctions to_screen,my_print to_screen( $var1, esc_attr( $var2 ) ); // Bad x 1. my_print( $var1, $var2 ); // Bad x 2. // @codingStandardsChangeSetting WordPress.XSS.EscapeOutput customEscapingFunctions esc_form_field // @codingStandardsChangeSetting WordPress.XSS.EscapeOutput customAutoEscapedFunctions post_info,cpt_info echo esc_form_field( $var ); // Ok. echo post_info( $post_id, 'field' ); // Ok. echo cpt_info( $post_type, 'query' ); // Ok. to_screen( esc_form_field( $var1), esc_attr( $var2 ) ); // Ok. // @codingStandardsChangeSetting WordPress.XSS.EscapeOutput customPrintingFunctions false // @codingStandardsChangeSetting WordPress.XSS.EscapeOutput customEscapingFunctions false // @codingStandardsChangeSetting WordPress.XSS.EscapeOutput customAutoEscapedFunctions false echo esc_form_field( $var ); // Bad. echo post_info( $post_id, 'field' ); // Bad. echo cpt_info( $post_type, 'query' ); // Bad. echo (unset) $var; // Ok. // Nowdocs are OK. echo <<<'EOD' Some Raw String EOD; echo 1.234; // Ok. echo ( 1.234 + 10 + 2.5 ); // Ok. echo 10 % 2; // Ok. echo 8 * 1.2; // Ok. ?> foo ?>