Are esc_* functions enough safe in WordPress? (like esc_url, esc_attr, esc_title)

Question

WordPress has a number of built-in validation/sanitization functions. However, as we see, there are two kinds of such group:

• sanitize_* (like sanitize_key, sanitize_title, ...)
• esc_* (like esc_url, esc_attr, ...)

My Question: Are esc_* functions enough safe in WordPress? I mean, in such cases:

echo '<input type="hidden" name="orderby" value="' . esc_attr( $_REQUEST['search_term'] ) . '" />';

is that safe enough, or we should still use extra sanitization, like:

sanitize_title(esc_attr( $_REQUEST['search_term'] ))

Answer 1

In my opinion these functions and their documentation are pretty clear at which places these functions should be used and what they do. esc_attr escapes attributes in HTML tags and sanitize_title sanitizes the title and removes HTML, PHP etc. Since attributes (for esc_attr) are (only) used inside HTML tags and HTML tags will be removed by sanitize_title it makes no sense to use esc_attr inside sanitize_title: any escaped attributes inside HTML will be removed together with the full HTML tag.

The esc_... and sanitize_... functions itself are secure as long as they are used for the purpose which they were designed for (and which is documented). If one instead tries to use esc_attr to escape a URL etc then this does not match the documented purpose and likely provides not the intended security.