esc_url or esc_attr or both

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

esc_url or esc_attr or both

Haluk Karamete
Say, you're  retrieving a value from the SB and you expect that to be in
the form of a URL

Let's assume that that value has to go in an img tag as its src attribute;

In this case, what's the recommended way to escape that from an XSS point
of view.

I provided 4 ways below;

1: just do esc_url
<img src="<?php esc_url($url_maybe);?>" >

2: just do esc_attr
<img src="<?php esc_attr($url_maybe);?>" >

3: do both but run esc_attr first
<img src="<?php esc_url(esc_attr($url_maybe));?>" >

4: do both but run esc_url first
<img src="<?php esc_attr(esc_url($url_maybe));?>" >


Similar confusion may occur in deciding esc_js and so on.
What simple guide can I use in situations like this?
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: esc_url or esc_attr or both

Morgan Estes
In this case, using esc_url() as in example 1 is the way to go. Because of
the way the methods escape output, esc_attr() should be used for all other
tag attributes, but src and href should be escaped with esc_url().

On Wed, Apr 22, 2015, 7:59 PM Haluk Karamete <[hidden email]>
wrote:

> Say, you're  retrieving a value from the SB and you expect that to be in
> the form of a URL
>
> Let's assume that that value has to go in an img tag as its src attribute;
>
> In this case, what's the recommended way to escape that from an XSS point
> of view.
>
> I provided 4 ways below;
>
> 1: just do esc_url
> <img src="<?php esc_url($url_maybe);?>" >
>
> 2: just do esc_attr
> <img src="<?php esc_attr($url_maybe);?>" >
>
> 3: do both but run esc_attr first
> <img src="<?php esc_url(esc_attr($url_maybe));?>" >
>
> 4: do both but run esc_url first
> <img src="<?php esc_attr(esc_url($url_maybe));?>" >
>
>
> Similar confusion may occur in deciding esc_js and so on.
> What simple guide can I use in situations like this?
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: esc_url or esc_attr or both

Haluk Karamete
Thanks Morgan. After your reply, I checked with the codex and saw that it
says the same exact thing as you said.
I should not have asked my original question that way. That was too
obvious.

Maybe I should have asked the question in the following format and see if
it is the right way or not

document.write ('<img src="' + '<?php esc_js(esc_url($image_url_js));?>' +
'">';

Or if the 'esc_js' in there is necessary?

I'm seeking an overall recipe/guidance that would work across the board so
that I do not overlook some odd situation and get xss'ed.




On Wed, Apr 22, 2015 at 6:30 PM, Morgan Estes <[hidden email]>
wrote:

> In this case, using esc_url() as in example 1 is the way to go. Because of
> the way the methods escape output, esc_attr() should be used for all other
> tag attributes, but src and href should be escaped with esc_url().
>
> On Wed, Apr 22, 2015, 7:59 PM Haluk Karamete <[hidden email]>
> wrote:
>
> > Say, you're  retrieving a value from the SB and you expect that to be in
> > the form of a URL
> >
> > Let's assume that that value has to go in an img tag as its src
> attribute;
> >
> > In this case, what's the recommended way to escape that from an XSS point
> > of view.
> >
> > I provided 4 ways below;
> >
> > 1: just do esc_url
> > <img src="<?php esc_url($url_maybe);?>" >
> >
> > 2: just do esc_attr
> > <img src="<?php esc_attr($url_maybe);?>" >
> >
> > 3: do both but run esc_attr first
> > <img src="<?php esc_url(esc_attr($url_maybe));?>" >
> >
> > 4: do both but run esc_url first
> > <img src="<?php esc_attr(esc_url($url_maybe));?>" >
> >
> >
> > Similar confusion may occur in deciding esc_js and so on.
> > What simple guide can I use in situations like this?
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: esc_url or esc_attr or both

Morgan Estes
In this case, esc_js() isn't used properly and is overkill; it's main use
is for escaping inline handlers like onclick. Since you're escaping a URL
that's used in the src attribute, esc_url() works just fine.

If you're escaping JS values, use wp_json_encode() and avoid using esc_js()
(and inline event handlers in general).

On another note, if you can at all avoid document.write() for adding an
element to the DOM, you'll be much happier for it. :)

Morgan W. Estes
http://morganestes.com <http://about.me/morganestes>

On Wed, Apr 22, 2015 at 10:48 PM, Haluk Karamete <[hidden email]>
wrote:

> Thanks Morgan. After your reply, I checked with the codex and saw that it
> says the same exact thing as you said.
> I should not have asked my original question that way. That was too
> obvious.
>
> Maybe I should have asked the question in the following format and see if
> it is the right way or not
>
> document.write ('<img src="' + '<?php esc_js(esc_url($image_url_js));?>' +
> '">';
>
> Or if the 'esc_js' in there is necessary?
>
> I'm seeking an overall recipe/guidance that would work across the board so
> that I do not overlook some odd situation and get xss'ed.
>
>
>
>
> On Wed, Apr 22, 2015 at 6:30 PM, Morgan Estes <[hidden email]>
> wrote:
>
> > In this case, using esc_url() as in example 1 is the way to go. Because
> of
> > the way the methods escape output, esc_attr() should be used for all
> other
> > tag attributes, but src and href should be escaped with esc_url().
> >
> > On Wed, Apr 22, 2015, 7:59 PM Haluk Karamete <[hidden email]>
> > wrote:
> >
> > > Say, you're  retrieving a value from the SB and you expect that to be
> in
> > > the form of a URL
> > >
> > > Let's assume that that value has to go in an img tag as its src
> > attribute;
> > >
> > > In this case, what's the recommended way to escape that from an XSS
> point
> > > of view.
> > >
> > > I provided 4 ways below;
> > >
> > > 1: just do esc_url
> > > <img src="<?php esc_url($url_maybe);?>" >
> > >
> > > 2: just do esc_attr
> > > <img src="<?php esc_attr($url_maybe);?>" >
> > >
> > > 3: do both but run esc_attr first
> > > <img src="<?php esc_url(esc_attr($url_maybe));?>" >
> > >
> > > 4: do both but run esc_url first
> > > <img src="<?php esc_attr(esc_url($url_maybe));?>" >
> > >
> > >
> > > Similar confusion may occur in deciding esc_js and so on.
> > > What simple guide can I use in situations like this?
> > > _______________________________________________
> > > wp-hackers mailing list
> > > [hidden email]
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers