Deprecated clean_url() in favor of esc_u…

Deprecated clean_url() in favor of esc_url(), and deprecated sanitize_url() in favor of esc_url_raw().

#api, #escaping, #esc_url_raw, #security

Deprecated wp_specialchars() in favor of…

Deprecated wp_specialchars() in favor of esc_html() (also: esc_html__() and esc_html_e()). Using wp_specialchars() with more than one param works for backwards compat. Also, esc_html() (or wp_specialchars() with one param) escapes quotes, just like esc_attr(). This buys security for plugin authors who were mistakenly using a one-param wp_specialchars() call in an HTML attribute. See this wp-hackers message for more detail.

#api, #escaping, #security

Standardizing and shortening the WP secu…

Standardizing and shortening the WP security escaping functions.

attribute_escape() is now esc_attr()

Additionally, you can do attribute escaping and translation in one go. Just add the translation function to the end. Like so:

  • esc_attr__() — translate and return, attribute-escaped.
  • esc_attr_e() — translate and echo, attribute-escaped.

Will be following up with esc_html (with __() and _e() variants), esc_url(), maybe some more. Will be nice, short, predictable, and allow you do translate/escape in one go without a lot of nested parenthesis.

#api, #escaping, #security