<?php __('String to be translated', 'unique_identifier_string' ) ?>
<?php wp_localize_script( $handle, $name, $data ); ?>
<?php
// Register the script
wp_register_script( 'some_handle', 'path/to/myscript.js' );
// Localize the script with new data
$translation_array = array(
'some_string' => __( 'Some string to translate', 'plugin-domain' ),
'a_value' => '10'
);
wp_localize_script( 'some_handle', 'object_name', $translation_array );
// Enqueued script with localized data.
wp_enqueue_script( 'some_handle' );
// usage
object_name.some_string
object_name.a_value
// sanitize fields
<input type="text" id="title" name="title" />
$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );
sanitize_email()
sanitize_file_name()
sanitize_html_class()
sanitize_key()
sanitize_meta()
sanitize_mime_type()
sanitize_option()
sanitize_sql_orderby()
sanitize_text_field()
sanitize_textarea_field()
sanitize_title()
sanitize_title_for_query()
sanitize_title_with_dashes()
sanitize_user()
// ESCAPING
It's important to note that most WordPress functions properly prepare the data for output, and you don't need to escape again.
<h4><?php the_title(); ?></h4>
esc_html() we should use anytime our HTML element encloses a section of data we're outputting.
<h4><?php echo esc_html( $title ); ?></h4>
esc_url() should be used on all URLs, including those in the 'src' and 'href' attributes of an HTML element.
<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />
esc_js() is intended for inline Javascript.
<a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>
esc_attr() can be used on everything else that's printed into an HTML element's attribute.
<ul class="<?php echo esc_attr( $stored_class ); ?>">
esc_textarea() encodes text for use inside a textarea element.
<textarea><?php echo esc_textarea( $text ); ?></textarea>
// add a nonce to the form
<form method="POST">
<?php wp_nonce_field( 'awesome_update', 'awesome_form' ); ?>
<table class="form-table">
public function handle_form() {
if(
! isset( $_POST['awesome_form'] ) ||
! wp_verify_nonce( $_POST['awesome_form'], 'awesome_update' )
){ ?>
<div class="error">
<p>Sorry, your nonce was not correct. Please try again.</p>
</div> <?php
exit;
} else {
$valid_usernames = array( 'admin', 'matthew' );
$valid_emails = array( 'email@domain.com', 'anotheremail@domain.com' );
$username = sanitize_text_field( $_POST['username'] );
$email = sanitize_email( $_POST['email'] );
if( in_array( $username, $valid_usernames ) && in_array( $email, $valid_emails ) ){
update_option( 'awesome_username', $username );
update_option( 'awesome_email', $email );?>
<div class="updated">
<p>Your fields were saved!</p>
</div> <?php
} else { ?>
<div class="error">
<p>Your username or email were invalid.</p>
</div> <?php
}
}
}
// It adds script /js/main.js to your theme + NONCE
// Example: https://www.22nds.com/wordpress-rest-api/
function my_resources() {
wp_enqueue_script(
'main_js',
get_template_directory_uri() . '/js/main.js',
NULL, // dependency
1.0, // version
true // loads script in footer)
);
wp_localize_script(
'main_js', // handle - name of script name
'magicalData', // name - name of the object we want to output
array('nonce' => wp_create_nonce('wp_rest')) // data - output
);
}
add_action('wp_enqueue_scripts', 'my_resources');
// It adds script /js/main.js to your theme
// Example: https://www.22nds.com/wordpress-rest-api/
// main.js
// console.log('JS works')
// functions.php
function my_resources() {
wp_enqueue_script(
'main_js', // name of the script
get_template_directory_uri() . '/js/main.js', // location of the script
NULL, // dependencies
1.0, // script version
true // loads script in the footer
);
}
add_action('wp_enqueue_scripts', 'my_resources');