Directory

What's the difference between autoescaped and escaping functions? · Issue #2411 · WordPress/WordPress-Coding-Standards · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What's the difference between autoescaped and escaping functions? #2411

Closed
kkmuffme opened this issue Dec 7, 2023 · 5 comments
Closed

What's the difference between autoescaped and escaping functions? #2411

kkmuffme opened this issue Dec 7, 2023 · 5 comments
Labels
Type: Question

Comments

@kkmuffme
Copy link

kkmuffme commented Dec 7, 2023

It's not clear from the code nor from the docs. Could someone clarify this?
@dingo-d
Copy link
Member

dingo-d commented Dec 7, 2023

As noted in the docblock above the properties, autoEscapedFunctions are functions whose output is automatically escaped for display.

escapingFunctions are functions that escape values for display.

Ref: https://github.com/WordPress/WordPress-Coding-Standards/blob/develop/WordPress/Helpers/EscapingFunctionsTrait.php

@kkmuffme
Copy link
Author

kkmuffme commented Dec 7, 2023
edited

But practically/logically that's the same thing? Can you give me an example of the difference?

e.g. why is wp_title and autoEscapedFunction and not an escaping function, since it "escapes" the first param ($sep). In logical terms, that's the same thing as e.g. esc_html_e does - it translates, then escapes the first param.

EDIT: to make it more obvious logically:
functions accept either secure or insecure input (or nothing)
functions return either secure or insecure output (or nothing)

printing functions => secure input only (otherwise error) => secure output
escaping functions => insecure input => secure output
autoescaped functions => insecure input => secure output
all other functions => insecure input => insecure output

Since phpcs doesn't track the type, the option:
secure input => secure output
isn't a separate case

Where/how is there a difference between escaping/autoescaped functions in this schema?

@dingo-d
Copy link
Member

dingo-d commented Dec 8, 2023
edited

The difference is the purpose of the function.

We put functionalities in the function for the sake of some intention. The same way you put similar functionalities in classes (encapsulation).

The intention or purpose of escaping functions is to escape - that is, make the output safe to use. That is what they do. You pass the input in, and the output you get is safe to display.

Autoescaped functions are not about escaping. For instance, the wp_title function's purpose is to display or return the page title. That function is safe, in that, no matter what you pass, the result you get is safe to use.

@kkmuffme
Copy link
Author

kkmuffme commented Dec 8, 2023

Seems quite arbitrary and unnecessary complex to maintain, since logically they're doing the same (even their intention might be different) in terms of secure output.

@kkmuffme kkmuffme closed this as completed Dec 8, 2023
@kkmuffme kkmuffme mentioned this issue Dec 8, 2023
Open
@dingo-d
Copy link
Member

dingo-d commented Dec 8, 2023

Code is written for humans, and knowing the distinction between the two is very useful to have documented.

I can tell you from first-hand experience that this list was useful when reviewing themes for instance 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dingo-d @kkmuffme