0
0
Wordpressframework~20 mins

Data escaping (output) in Wordpress - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
WordPress Escaping Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output of this WordPress escaping function?
Consider the following PHP code snippet in a WordPress theme template:

<?php
$user_input = '<script>alert("XSS")</script>';
echo esc_html( $user_input );
?>

What will be the output rendered in the browser?
Wordpress
<?php
$user_input = '<script>alert("XSS")</script>';
echo esc_html( $user_input );
?>
A&amp;lt;script&amp;gt;alert(&amp;quot;XSS&amp;quot;)&amp;lt;/script&amp;gt;
B&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;
Calert("XSS")
D<script>alert("XSS")</script>
Attempts:
2 left
💡 Hint
esc_html() converts special HTML characters to safe entities.
📝 Syntax
intermediate
1:30remaining
Which option correctly escapes a URL for safe output in WordPress?
You want to safely output a URL stored in $url variable inside an HTML attribute in WordPress. Which of the following is the correct escaping function to use?
Aecho sanitize_text_field( $url );
Becho esc_html( $url );
Cecho esc_attr( $url );
Decho esc_url( $url );
Attempts:
2 left
💡 Hint
Use the function designed specifically for URLs.
🔧 Debug
advanced
2:30remaining
Why does this WordPress code output raw HTML instead of escaped text?
Given this code:

<?php
$content = '<strong>Hello</strong>';
echo esc_attr( $content );
?>

Why does the browser render Hello as bold text instead of showing the tags as text?
Wordpress
<?php
$content = '<strong>Hello</strong>';
echo esc_attr( $content );
?>
Aesc_attr() escapes for HTML attributes, but echo outputs raw HTML in body, so tags render.
Besc_attr() does not escape HTML tags, so they render as HTML.
CThe variable $content is not escaped at all, causing raw HTML output.
Desc_attr() escapes HTML tags but echo removes escaping automatically.
Attempts:
2 left
💡 Hint
esc_attr() is for attribute values, not general HTML content.
state_output
advanced
2:30remaining
What is the output of this WordPress code with nested escaping?
Analyze this code:

<?php
$data = '<a href="http://example.com">Link</a>';
echo esc_html( esc_attr( $data ) );
?>

What will be displayed in the browser?
Wordpress
<?php
$data = '<a href="http://example.com">Link</a>';
echo esc_html( esc_attr( $data ) );
?>
A&lt;a href=&quot;http://example.com&quot;&gt;Link&lt;/a&gt;
B<a href="http://example.com">Link</a>
C&amp;lt;a href=&amp;quot;http://example.com&amp;quot;&amp;gt;Link&amp;lt;/a&amp;gt;
Dhttp://example.com
Attempts:
2 left
💡 Hint
esc_attr() escapes quotes and special chars, esc_html() escapes HTML entities again.
🧠 Conceptual
expert
3:00remaining
Which WordPress escaping function should you use to safely output user input inside a JavaScript block?
You want to output user input safely inside a JavaScript block in a WordPress theme. Which escaping function is the best choice?
Aesc_js()
Besc_html()
Cesc_attr()
Desc_url()
Attempts:
2 left
💡 Hint
Think about escaping for JavaScript context, not HTML or URLs.