I'm working on a WordPress website. This is in the child's function.php file. I'm just wondering if I need to sanitize when I embed strings within HTML markup.
if (is_user_logged_in()) {
$user = wp_get_current_user();
$fName = $user -> user_firstname;
$lName = $user -> user_lastname;
$items .= '<li id="user-name" title="Edit my profile" ><a href="' . site_url('/something') . '">' . $fName . ' ' . $lName . '</a></li>';
$link = '<a href="' . wp_logout_url($redirect) . '" title="' . __('Logout') . '">' . __('Logout') . '</a>';
}
Do I need to sanitize $items and $link? If so, would it be this?
$items .= '<li id="user-name" title="Edit my profile" >htmlspecialchars(<a href="' . site_url('/something') . '">, ENT_QUOTES)' . $firstName . ' ' . $lastName . '</a></li>';
$link = htmlspecialchars('<a href="' . wp_logout_url($redirect) . '" title="' . __('Logout') . '">' . __('Logout') . '</a>, ENT_QUOTES)';
How about this one?
echo '<p>' . __('A message will be sent to your email address.') . '</p>';
to
echo '<p>' . htmlspecialchars(__('A message will be sent to your email address.'), ENT_QUOTES) . '</p>';
Thanks for helping.