Escape Function for urldecode()

[FrancesCoronel]

Hey there 👋

Thanks for the plugin - it's really useful!

I have a small bug I'm dealing with - I followed all the steps and I am currently using urldecode() with the proper config:

array(
	'label' => 'Content',
	'attr' => 'content',
	'description' => 'Content',
	'type' => 'textarea',
	'encode' => true,
	'meta' => array(
		'class' => 'shortcake-richtext',
	),
),

<?php echo urldecode($atts['content']); ?>

However, I'm getting the following error now:

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'urldecode'

I'm wondering then would I use instead to as a proper escape function in tandem with the urldecode function?

I've tried esc_attr already but that renders the HTML tags too which I obviously don't want.

<?php echo esc_attr(urldecode($atts['content'])); ?>

I've tried looking into this myself and haven't found any answers that preserves the text properly so I figured I'd ask here as well.

[mehigh]

This error should come from your code quality checks.

If you're using php code sniffer, this should help:

// phpcs:disable
echo urldecode($atts['content']);
// phpcs:enable

Or adding this comment if you use WPCS:
echo urldecode($atts['content']); /* WPCS: xss ok. */

You're outputting mark-up you control, and since that contains HTML there isn't really an escaping function you can use readily in here. Rather you need to inform the code sniffer that the source is OK - you're not just feeding in random visitor data in here.

[mehigh]

@fvcproductions
Escaping with wp_kses_post escapes with the same type of tags which are allowed in a regular post.
See the reference in codex: https://codex.wordpress.org/Function_Reference/wp_kses_post

[FrancesCoronel]

Yep, I just ended up using wp_kses_post - thanks for the info!