What's the difference between autoescaped and escaping functions?

Question

What's the difference between autoescaped and escaping functions?

kkmuffme opened this issue a year ago · 5 comments

It's not clear from the code nor from the docs. Could someone clarify this?

Answer 1 · 2023-12-07T21:26:55.000Z

As noted in the docblock above the properties, autoEscapedFunctions are functions whose output is automatically escaped for display.

escapingFunctions are functions that escape values for display.

Ref: https://github.com/WordPress/WordPress-Coding-Standards/blob/develop/WordPress/Helpers/EscapingFunctionsTrait.php

Answer 2 · 2023-12-07T21:31:49.000Z

But practically/logically that's the same thing? Can you give me an example of the difference?

e.g. why is wp_title and autoEscapedFunction and not an escaping function, since it "escapes" the first param ($sep). In logical terms, that's the same thing as e.g. esc_html_e does - it translates, then escapes the first param.

EDIT: to make it more obvious logically:
functions accept either secure or insecure input (or nothing)
functions return either secure or insecure output (or nothing)

printing functions => secure input only (otherwise error) => secure output
escaping functions => insecure input => secure output
autoescaped functions => insecure input => secure output
all other functions => insecure input => insecure output

Since phpcs doesn't track the type, the option:
secure input => secure output
isn't a separate case

Where/how is there a difference between escaping/autoescaped functions in this schema?

Answer 3 · 2023-12-08T08:04:57.000Z

The difference is the purpose of the function.

We put functionalities in the function for the sake of some intention. The same way you put similar functionalities in classes (encapsulation).

The intention or purpose of escaping functions is to escape - that is, make the output safe to use. That is what they do. You pass the input in, and the output you get is safe to display.

Autoescaped functions are not about escaping. For instance, the wp_title function's purpose is to display or return the page title. That function is safe, in that, no matter what you pass, the result you get is safe to use.

Answer 4 · 2023-12-08T13:02:54.000Z

Seems quite arbitrary and unnecessary complex to maintain, since logically they're doing the same (even their intention might be different) in terms of secure output.

Answer 5 · 2023-12-08T13:06:25.000Z

Code is written for humans, and knowing the distinction between the two is very useful to have documented.

I can tell you from first-hand experience that this list was useful when reviewing themes for instance 😉