My primary occupation is developing on WordPress and it’s pretty much a full time activity, so if you’re like me, getting your hands dirty in code, I’m sure this has happened to you at least once: finding a function you didn’t know about, that instantly simplifies an otherwise tedious or repetitive task.
It happened to me about two years ago, when I discovered the marvels of
wp_list_pluck. If you’re wondering what it does: it grabs a particular property from a multi-dimensional array or an array of objects, and stacks the result of this computation in an array of its own. Pretty neat, definitely a nice time saver.
It has happened to me just today while I was taking care of some escaping in a theme we’re building. Escaping is quite possibly the single most important thing you can do in a theme beside design, certainly more than making it chock-full of features that will likely end up unused.
If you’re new to the subject and you’re not sold yet on the concept, I suggest you take a look at this video from Computerphile, and while you’re at it spend some more time on their channel, since it’s worth every second of it.
Anyway, the function I’ve discovered today is called
wp_kses_post, and it automatically filters a string of text allowing only the HTML tags that are permitted in a post’s content.
Before that, when a simple
esc_html wouldn’t do it, I used to spend a good minute writing the following (or a variation of it):
wp_kses( $string, array( 'a' => array( 'href' => array(), 'title' => array() ), 'br' => array(), 'em' => array(), 'strong' => array(), )
which, long story short, is a more precise way of not allowing evil
script tags where they shouldn’t be.
WordPress core has more to offer than you might know, so don’t be afraid to check it out and experiment with it, and also remember to always escape your output.