Wordpress - Should `get_template_directory_uri()` be escaped?

In that function we find a hook:

return apply_filters( 
    'template_directory_uri', 
    $template_dir_uri, 
    $template, 
    $theme_root_uri
);

So, yes, the URI can be changed by plugins, and you should escape its returned value.

The same principle applies to all WordPress URI functions, like get_home_url(), get_site_url() and so on. Keep in mind that there are not only good plugin developers out there. Some make mistakes, maybe just very small ones that happen only in some circumstances.

In case of wp_enqueue_style(), WordPress does escape the URL by default. But that is a wrapper for the global WP_Styles instance, and this in turn can be replaced easily – even with a less safe version. That's not very likely, but you should be aware of this possibility.

Unfortunately, WP itself doesn't follow the better safe than sorry directive. It doesn't even escape translations. My advice is not to look at the core themes for best practices. Always look at the source of the data and see if it can be compromised.


Will try to make swissspidy's comment into an answer. Short version - it depends.

Escaping should not be applied randomly as double escaping might produce a url (or any kind of content) which do not match the intended url. Escaping should be applied only before output. Therefor the context is more important then the specific function that calculates the URL.

In your example, the first snippet just enqueues the URL and do not output it. The responsibility for escaping is delegated further into the wordpress stack to the code that actually output it, and that is the reason it is not escaped.

The second snippet does the output and that is why the url is being escaped.

So how do you know when you should not escape? Hopefully somewhere in the future the documentation of wordpress APIs will include that information, but for now either follow the full code path until the actual output, or test your theme under "funny" urls

Tags:

Security

Themes

Theme Development

Related

Wordpress - Best way to end WordPress ajax request and why? Wordpress - Changing title of a page dynamically from within a plugin Wordpress - Check if a post has any term in this custom taxonomy? Wordpress - Is a text-domain necessary for a child theme Wordpress - Is the Wordpress REST API installed and enabled in a vanilla Wordpress 4.7 installation? Wordpress - WP REST API no longer supports filter param, so how do I get posts in a custom taxonomy? Wordpress - Get current URL (permalink) without /page/{pagenum}/ Wordpress - How to change version of .css in WordPress? Wordpress - Change Custom Post Type slug Wordpress - How do I fix the "sorry, you are not allowed to access this page" error I get on the "plugins > settings" links? Wordpress - Order get_terms by term meta Wordpress - Why does WordPress have private functions?

Recent Posts