security – should I escape a literal url added in functions.php


No, you don’t have to escape values that cannot be changed by someone else.

You should escape output that might be changed by some other source, for example if there is a filter running on the values.

Let’s say you are using wp_upload_dir() to find the upload directory – and you absolutely should, because the location of that directory can be customized! — then there are various filters in play, so you should escape the final URLs.

Or if you insert your own filter option, so you can change the URL per plugin or child theme – again, you need escaping.


$upload_dir = wp_upload_dir();
$upload_url = $upload_dir['baseurl'];
$payment_icons = [
    'visa'       => $upload_url . '/2022/01/visa02.png',
    'mastercard' => $upload_url . '/2022/01/mastercard.png',
$payment_icons = apply_filters( 'theme_payment_icons', $payment_icons );

foreach( $payment_icons as $alt => $url ) {
        '<img src="%1$s" alt="%2$s">',
        esc_url( $url ), // we escape as late as possible!
        esc_attr( $alt )    

JEmmerich 1 year 2022-01-28T23:36:26-05:00 0 Answers 0 views 0

Leave an answer