Deprecated wp_specialchars() in favor of esc_html() (also: esc_html__() and esc_html_e()). Using wp_specialchars() with more than one param works for backwards compat. Also, esc_html() (or wp_specialchars() with one param) escapes quotes, just like esc_attr(). This buys security for pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors who were mistakenly using a one-param wp_specialchars() call in an HTMLHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. attribute. See this wp-hackers message for more detail.

#api, #escaping, #security

Standardizing and shortening the WP security escaping functions.

attribute_escape() is now esc_attr()

Additionally, you can do attribute escaping and translationtranslation The process (or result) of changing text, words, and display formatting to support another language. Also see localization, internationalization. in one go. Just add the translation function to the end. Like so:

• esc_attr__() — translate and return, attribute-escaped.
• esc_attr_e() — translate and echo, attribute-escaped.

Will be following up with esc_html (with __() and _e() variants), esc_url(), maybe some more. Will be nice, short, predictable, and allow you do translate/escape in one go without a lot of nested parenthesis.

#api, #escaping, #security