Should you escape hardcoded URLs?

by

I’m writing a very simple social share plugin for a client. I’m using these two functions to display the share buttons at the bottom of each post:

<?php
/**
 * Social buttons
 */
function zss_share_buttons() {
?>
    <div class="zss">
        
        <div id="fb-root"></div>
        <script>
            (function(d, s, id) {
                var js, fjs = d.getElementsByTagName(s)[0];
                if (d.getElementById(id)) return;
                js = d.createElement(s); js.id = id;
                js.src = "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.0";
                fjs.parentNode.insertBefore(js, fjs);
            }
            (document, 'script', 'facebook-jssdk'));
        </script>
        <div class="fb-share-button" data-href="<?php the_permalink(); ?>" data-layout="button_count" data-lazy="true"></div>
        
        <a href="https://twitter.com/share?url=<?php the_permalink(); ?>&amp;text=<?php echo urlencode( get_the_title() ); ?>" title="Share on Twitter" target="_blank" rel="nofollow noopener noreferrer" class="zss-button zss-button--twitter">Twitter</a>
        
        <a class="zss-button zss-button--linkedin" href="http://www.linkedin.com/shareArticle?mini=true&amp;url=<?php the_permalink(); ?>" title="Share on LinkedIn" target="_blank" rel="nofollow noopener noreferrer">LinkedIn</a>
    
    </div>
<?php }

/**
 * Insert share button
 */ 
function zss_insert_share_buttons( $content ) {
    if ( is_single() && 'post' == get_post_type() ) {
        ob_start();
        zss_share_buttons();
        $content .= ob_get_clean();
    }
    return $content;
}
add_filter( 'the_content', 'zss_insert_share_buttons' );

Is it necessary to escape the hardcoded social media URLs with esc_url()? As I understand it, if the URL doesn’t have an input via admin, it should be okay.

Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

No, you don’t need to escape hardcoded values.

As I understand it, if the URL doesn’t have an input via admin, it
should be okay.

Not necessarily. There’s many more potential sources of potentially malicious (or just accidentally broken) output that need to be accounted for, such as:

  • Translations.
  • Query strings ($_GET)
  • Cookies.
  • WordPress filters.

So generally you should escape any values output from most, if not all, functions and variables.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x