esc_js()

💡 云策文档标注

概述

esc_js() 是 WordPress 中用于转义文本字符串以在 JavaScript 中安全输出的函数，特别适用于内联 JS（如 HTML 标签属性中的 onclick）。它转义单引号、双引号、& 等特殊字符，并修正换行符。

关键要点

用途：转义文本用于在 JavaScript 中输出，确保安全性和正确性，主要针对内联 JS 场景。
参数：接受一个必需的字符串参数 $text，返回转义后的字符串。
处理内容：转义单引号、双引号、& 字符，并处理换行符（移除，转义为 n）。
内部流程：先通过 wp_check_invalid_utf8() 检查无效 UTF-8，再使用 _wp_specialchars() 转义特殊字符，最后应用 stripslashes 和 addslashes 处理。
Hook：应用 'js_escape' 过滤器，允许插件修改转义后的字符串。
注意事项：字符串需用单引号包裹；对于非内联 JS 场景，推荐使用 wp_json_encode()。

代码示例

function esc_js( $text ) {
	$safe_text = wp_check_invalid_utf8( $text );
	$safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
	$safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
	$safe_text = str_replace( "r", '', $safe_text );
	$safe_text = str_replace( "n", '\n', addslashes( $safe_text ) );
	return apply_filters( 'js_escape', $safe_text, $text );
}

📄 原文内容

Escapes single quotes, ", , &, and fixes line endings.

Description

Escapes text strings for echoing in JS. It is intended to be used for inline JS (in a tag attribute, for example onclick="..."). Note that the strings have to be in single quotes. The ‘js_escape’ filter is also applied here.

Parameters

$textstringrequired: The text to be escaped.

Return

string Escaped text.

More Information

See Data Validation for more information on escaping and sanitization.

Source

function esc_js( $text ) {
	$safe_text = wp_check_invalid_utf8( $text );
	$safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
	$safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
	$safe_text = str_replace( "r", '', $safe_text );
	$safe_text = str_replace( "n", '\n', addslashes( $safe_text ) );
	/**
	 * Filters a string cleaned and escaped for output in JavaScript.
	 *
	 * Text passed to esc_js() is stripped of invalid or special characters,
	 * and properly slashed for output.
	 *
	 * @since 2.0.6
	 *
	 * @param string $safe_text The text after it has been escaped.
	 * @param string $text      The text prior to being escaped.
	 */
	return apply_filters( 'js_escape', $safe_text, $text );
}

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘js_escape’, string $safe_text, string $text ): Filters a string cleaned and escaped for output in JavaScript.

Uses	Description
wp_check_invalid_utf8()`wp-includes/formatting.php`	Checks for invalid UTF8 in a string.
_wp_specialchars()`wp-includes/formatting.php`	Converts a number of special characters into their HTML entities.
apply_filters()`wp-includes/plugin.php`	Calls the callback functions that have been added to a filter hook.

Show 1 more Show less

Used by	Description
wp_default_packages_vendor()`wp-includes/script-loader.php`	Registers all the WordPress vendor scripts that are in the standardized `js/dist/vendor/` location.
WP_Customize_Site_Icon_Control::content_template()`wp-includes/customize/class-wp-customize-site-icon-control.php`	Renders a JS template for the content of the site icon control.
WP_Links_List_Table::handle_row_actions()`wp-admin/includes/class-wp-links-list-table.php`	Generates and displays row action links.
Bulk_Upgrader_Skin::before()`wp-admin/includes/class-bulk-upgrader-skin.php`	Performs an action before a bulk update.
Bulk_Upgrader_Skin::after()`wp-admin/includes/class-bulk-upgrader-skin.php`	Performs an action following a bulk update.
Bulk_Upgrader_Skin::error()`wp-admin/includes/class-bulk-upgrader-skin.php`	Displays an error message about the update.
_thickbox_path_admin_subfolder()`wp-admin/includes/ms.php`	Prints thickbox image paths for Network Admin.
wp_save_image()`wp-admin/includes/image-edit.php`	Saves image to post, along with enqueued changes in `$_REQUEST['history']`.
iframe_header()`wp-admin/includes/template.php`	Generic Iframe header for use with Thickbox.
WP_Themes_List_Table::display_rows()`wp-admin/includes/class-wp-themes-list-table.php`	Generates the list table rows.
wp_iframe()`wp-admin/includes/media.php`	Outputs the iframe to display the media upload page.
link_submit_meta_box()`wp-admin/includes/meta-boxes.php`	Displays link create form fields.
Custom_Image_Header::js_1()`wp-admin/includes/class-custom-image-header.php`	Displays JavaScript based on Step 1 and 3.
dismissed_updates()`wp-admin/update-core.php`	Display dismissed updates.
js_escape()`wp-includes/deprecated.php`	Escape single quotes, specialchar double quotes, and fix line endings.
sanitize_term_field()`wp-includes/taxonomy.php`	Sanitizes the field value in the term based on the context.
WP_Admin_Bar::_render_item()`wp-includes/class-wp-admin-bar.php`
sanitize_user_field()`wp-includes/user.php`	Sanitizes user field based on context.
sanitize_post_field()`wp-includes/post.php`	Sanitizes a post field based on context.
sanitize_bookmark_field()`wp-includes/bookmark.php`	Sanitizes a bookmark field.
wp_print_media_templates()`wp-includes/media-template.php`	Prints the templates used in the media manager.

Show 16 more Show less

Changelog

Version	Description
2.8.0	Introduced.

User Contributed Notes

Skip to note 3 content

Weston Ruter

10 years ago

You must log in to vote on the helpfulness of this noteVote results for this note: 2You must log in to vote on the helpfulness of this note
I don’t really see the value of using esc_js() anymore. If you really have to do an inline script attribute, you may want to consider the following example with wp_json_encode() and esc_attr(), which seems easier to read and maintain:
```
<input id="subbox" type="text" name="email"
	value="<?php echo esc_attr( $instance['input_text'] ); ?>"
	onfocus="<?php echo esc_attr( $onfocus ); ?>"
	onblur="<?php echo esc_attr( $onblur ); ?>" />
```
But in actuality, this specific example doesn’t need any PHP in its script attributes at all. The following should have the same result, thanks to the defaultValue property on the HTMLInputElement interface:
```
<input id="subbox" type="text" name="email"
	value="<?php echo esc_attr( $instance['input_text'] ); ?>"
	onfocus="if ( this.defaultValue === this.value ) { this.value = ''; }"
	onblur="if ( '' === this.value ) { this.value = this.defaultValue; }" />
```
- But for the sake of filters, you should use esc_js() where javascript is using the value. You see when you use esc_attr(), the output is filtered with attribute_escape. But for esc_js(), output is filtered with js_escape hook. So other plugins can know it’s being escaped for js usage.
  
  Sohan Zaman 7 years ago
Log in to add feedback
Skip to note 4 content

Codex

10 years ago

You must log in to vote on the helpfulness of this noteVote results for this note: -1You must log in to vote on the helpfulness of this note
Example

Example of an input tag within a form displayed on the front-end of the site, generated from a widget. The first php segment is using esc_attr as it is an html attribute of input, while the next php segments is using esc_js within inline JavasSript.
```
<input type="text" value="<?php echo esc_attr( $instance['input_text'] ); ?>" id="subbox" onfocus="if ( this.value == '<?php echo esc_js( $instance['input_text'] ); ?>') { this.value = ''; }" onblur="if ( this.value == '' ) { this.value = '<?php echo esc_js( $instance['input_text'] ); ?>'; }" name="email" />
```
If you’re not working with inline JS in HTML event handler attributes, a more suitable function to use is wp_json_encode() , which is built-in to WordPress. (wp_json_encode() includes the string-delimiting quotes for you):
```
var title = ;
```
Log in to add feedback

云策 WordPress 开发者社区

函数文档