Escaping and CFS

[rcass]

In your theme php files, remember to use escaping functions such as esc_html as a security standard (we want to make sure we are outputting what we think we are outputting). There is more about this in the security lesson slides as well!

• [ ] Go through all your CFS calls in your php and wrap them in escaping functions.

[Audrobot]

hey rose, just to be clear, am i to wrap both the CFS calls and echos? i'm not sure exactly which to use the esc_ functions. for example, in about.php we have carousels present with echos. will those need to be wrapped as well?

[rcass]

The escape function doesn't have to wrap the echo.

Basically it will look something like this: <?php echo esc_html( CFS()->get( 'price' ) ); ?>

basically anytime there is a <?php echo CFS()->get( 'price' ) ?> it should be turned into <?php echo esc_html( CFS()->get( 'price' ) ); ?>

[Audrobot]

ah i see. so i can leave the lone echos alone and focus on the CFS gets then. i wasn't too sure about that after going through the documentation. thanks for clearing that up!

[Audrobot]

sorry rose, i'm unsure about one thing.

do the CFS gets need to contain an echo?

should i be wrapping them in escaping functions if they don't have an echo? e.g. $carousels = CFS()->get( 'about_carousel' );

wrap only the gets containing an echo?

[Audrobot]

also, there are a few CFS gets for the forms, e.g. <?php echo CFS()->get( 'form_title' ); ?> <?php echo CFS()->get( 'apply_here' ); ?>

i'm having issues wrapping these. tried html, textarea, and attr.

[Audrobot]

hmmm, ya... whenever i attempt to wrap the CFS gets it just displays the content you'd see in the wysiwig.

i input this:

<?php echo esc_html( CFS()->get( 'volunteer_perks_content' ) ); ?>

[Audrobot]

this displays:

any suggestions? sorry so many messages!