So, I’ve been using {!! $variable !!} and someone told me, that’s vulnerable to XSS attacks.
My question is, if we shouldn’t be using that, what should we do? We can use {{ $variable }}, but the issue is, some characters aren’t read such as © and at time apostrophie and such. Its the issue with {{ }}.
What’s the safe way to go and do this?
Are you looking for esc_html?
Hey @AurelianSpodarec ,
If you want to sanitize WYSIWYG output for allowed HTML tags for post content, you can use {!! wp_kses_post($var) !!}, also if you will want to replace double line breaks with paragraph elements and sanitize content for allowed HTML, then you can use {!! wpautop(wp_kses_post($var)) !!}, but if you will want to escape HTML, you can use the function suggested by @ben {!! esc_html($var) !!}.
Hope that makes sense for you.
This topic was automatically closed after 42 days. New replies are no longer allowed.