Question

esc_js( string $text )

Escape single quotes, htmlspecialchar ” &, and fix line endings.

---

description

Escapes text strings for echoing in JS. It is intended to be used for inline JS (in a tag attribute, for example onclick="…"). Note that the strings have to be in single quotes. The ‘js_escape’ filter is also applied here.

---

参数

$text

(string) (Required) The text to be escaped.

---

返回值

(string) Escaped text.

---

源代码

File: wp-includes/formatting.php

function esc_js( $text ) {
	$safe_text = wp_check_invalid_utf8( $text );
	$safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
	$safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
	$safe_text = str_replace( "\r", '', $safe_text );
	$safe_text = str_replace( "\n", '\\n', addslashes( $safe_text ) );
	/**
	 * Filters a string cleaned and escaped for output in JavaScript.
	 *
	 * Text passed to esc_js() is stripped of invalid or special characters,
	 * and properly slashed for output.
	 *
	 * @since 2.0.6
	 *
	 * @param string $safe_text The text after it has been escaped.
 	 * @param string $text      The text prior to being escaped.
	 */
	return apply_filters( 'js_escape', $safe_text, $text );
}

---

更新日志

Version	description
2.8.0	Introduced.

---

More Information

See Data Validation for more information on escaping and sanitization.

---

相关函数

Uses

• wp-includes/formatting.php: js_escape
• wp-includes/formatting.php: wp_check_invalid_utf8()
• wp-includes/formatting.php: _wp_specialchars()
• wp-includes/plugin.php: apply_filters()

---

Used By

• wp-admin/includes/class-wp-links-list-table.php: WP_Links_List_Table::handle_row_actions()
• wp-admin/includes/class-wp-press-this.php: WP_Press_This::html()
• wp-admin/includes/class-bulk-upgrader-skin.php: Bulk_Upgrader_Skin::before()
• wp-admin/includes/class-bulk-upgrader-skin.php: Bulk_Upgrader_Skin::after()
• wp-admin/includes/class-bulk-upgrader-skin.php: Bulk_Upgrader_Skin::error()
• wp-admin/includes/image-edit.php: wp_save_image()
• wp-admin/includes/class-wp-themes-list-table.php: WP_Themes_List_Table::display_rows()
• wp-admin/includes/meta-boxes.php: link_submit_meta_box()
• wp-admin/update-core.php: dismissed_updates()
• wp-includes/deprecated.php: js_escape()
• wp-includes/widgets/class-wp-widget-categories.php: WP_Widget_Categories::widget()
• wp-includes/taxonomy.php: sanitize_term_field()
• wp-includes/class-wp-admin-bar.php: WP_Admin_Bar::_render_item()
• wp-includes/user.php: sanitize_user_field()
• wp-includes/media.php: wp_playlist_scripts()
• wp-includes/post.php: sanitize_post_field()
• wp-includes/bookmark.php: sanitize_bookmark_field()
• wp-includes/media-template.php: wp_print_media_templates()
Show 13 more used by Hide more used by

---

User Contributed Notes

1. Skip to note content You must log in to vote on the helpfulness of this noteVote results for this note: 1You must log in to vote on the helpfulness of this note Contributed by Codex

   Example

   Example of an input tag within a form displayed on the front-end of the site, generated from a widget. The first php segment is using esc_attr as it is an html attribute of input, while the next php segments is using esc_js within inline JavasSript.

   
   <input type="text" value="<?php echo esc_attr( $instance['input_text'] ); ?>" id="subbox" onfocus="if ( this.value == '<?php echo esc_js( $instance['input_text'] ); ?>') { this.value = ''; }" onblur="if ( this.value == '' ) { this.value = '<?php echo esc_js( $instance['input_text'] ); ?>'; }" name="email" />
   

   If you’re not working with inline JS in HTML event handler attributes, a more suitable function to use is wp_json_encode(), which is built-in to WordPress. (wp_json_encode() includes the string-delimiting quotes for you):

   
   var title = <?php echo wp_json_encode( $instance['title'] ) ?>;
   

I don’t really see the value of using esc_js() anymore. If you really have to do an inline script attribute, you may want to consider the following example with wp_json_encode() and esc_attr(), which seems easier to read and maintain:

<?php
$onfocus = sprintf( 
	'if ( %s === this.value ) { this.value = ""; }',
	wp_json_encode( $instance['input_text'] )
);
$onblur = sprintf(
	'if ( "" === this.value ) { this.value = %s; }',
	wp_json_encode( $instance['input_text'] )
);
?>
<input id="subbox" type="text" name="email"
	value="<?php echo esc_attr( $instance['input_text'] ); ?>"
	onfocus="<?php echo esc_attr( $onfocus ); ?>"
	onblur="<?php echo esc_attr( $onblur ); ?>" />

But in actuality, this specific example doesn’t need any PHP in its script attributes at all. The following should have the same result, thanks to the defaultValue property on the HTMLInputElement interface:

<input id="subbox" type="text" name="email"
	value="<?php echo esc_attr( $instance['input_text'] ); ?>"
	onfocus="if ( this.defaultValue === this.value ) { this.value = ''; }"
	onblur="if ( '' === this.value ) { this.value = this.defaultValue; }" />