WordPress esc_attr returns empty string

Question

I have a form with an input name="title" and in functions.php I'm simply getting all the data from that form

Here's the code:

$title = $_POST['title'];
print_r($_POST);
var_dump($title);
var_dump(esc_attr($title));

The expected outcome would be the same string, but, I have no idea why, WordPress shows an empty string on the esc_attr one

Here's the output:

Array ( [title] => Swedish House Mafia – Doooon\'t You Worry Child ft. John Martin )

string(63) "Swedish House Mafia – Doooon\'t You Worry Child ft. John Martin" 

string(0) ""

It's not related to the input field being called title or the variable being called $title and conflicting with other stuff in WordPress, I have no idea why the escape functions are not working.

I'll be interested in seeing the answer to this question, though I wonder if we need more of the actually in use code but can't see right now why you'd get a var dump of $title but not of esc_attr($title). Out of curiosity, do you get the same (non-)results when you try $esc_title = esc_attr($title); echo $esc_title; ? — CK MacLeod, Dec 09 '16 at 17:29

score 0 · Answer 1 · answered Dec 09 '16 at 20:13

Let's walk through the thought process of what might be a contributor to this problem.

With the code as presented, nothing in your code is affecting the variable or $_POST. You are just echoing out each variable one after the other (as you presented above).

That means something is wonky with esc_attr. What could the possibilities be:

The function is not available yet.
Something is overriding the returned value and behavior.

Possibility 1 is not feasible because you are working in the theme's function.php file. WordPress has loaded the escaping functions by the time the theme is called. To check that, you can do:

echo function_exists( 'esc_attr' ) ? 'yes, loaded' : 'whoops, not loaded';

That leaves us with Possibility 2. Let's look at the function in WordPress Core.

function esc_attr( $text ) {
    $safe_text = wp_check_invalid_utf8( $text );
    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
    /**
     * Filters a string cleaned and escaped for output in an HTML attribute.
     *
     * Text passed to esc_attr() is stripped of invalid or special characters
     * before output.
     *
     * @since 2.0.6
     *
     * @param string $safe_text The text after it has been escaped.
     * @param string $text      The text prior to being escaped.
     */
    return apply_filters( 'attribute_escape', $safe_text, $text );
}

There are 3 functions that interact with the text. I don't see anything in the first two. However, look at the filter event attribute_escape. Any other plugin or theme can register to that event and change the returned text, including returning an empty string.

That sounds like a highly probable candidate.

Next Steps

Something is stepping on (filtering) the text when it's passed through esc_attr(). You need to eliminate all variables, strip the site down to the bare bones basics, and then see if the problem resolves itself.

The following steps are a process to discover where the problem lies. It's an elimination methodology. As you walk through it, it'll help you to pinpoint what component (theme, plugin, or even core) is affecting it.

Step 1: Deactive ALL plugins
Step 2: Move your code to the top of the theme's functions.php file. Why? It eliminates anything in the theme from affecting the text as the functions.php file loads first.
Step 3: Manually add the title to $_POST['title']. Put as the first line in functions.php: $_POST['title'] = "Swedish House Mafia – Doooon't You Worry Child ft. John Martin";.
Step 4: Refresh the browser.

Is it working properly, meaning esc_attr() returns the string?

Nope, the problem is still happening.

Hum, that means something then in WordPress Core is not playing nice. You could investigate by digging into Core and finding what is causing the conflict. Or reload a fresh version of it.

Yes, the problem is gone

Add in one plugin at a time. Refresh the browser. Check if the problem reappears. If yes, then you found the plugin that is causing it.

Now what?

Once you find the culprit, you can take steps to fix the problem. Then you can remove the code from functions.php file that I had you add.

If you strongly suspect it's a filter somewhere else acting on 'attribute_escape', then you could search the theme and plug-in folders for it instead of going through the deactivation/re-activation routine. — CK MacLeod, Dec 10 '16 at 08:34

score 0 · Answer 2 · answered Jan 11 '21 at 11:19

This might be edge case, but I had the same issue and the problem was with multibyte characters.

My code looked something like this: esc_attr( substr( $desc, 0, 152 ) )

Without esc_attr() it worked but I sometimes got the �-character. When running it through esc_attr() I got nothing back.

So my solution was to replace substr() with mb_substr(). Read about the difference in this answer.

Ayan Chakraborty · Answer 3 · 2016-12-09T16:42:39.433

-2

Retrieve data with this code

echo esc_attr( $title );

edited Dec 09 '16 at 16:42

answered Dec 09 '16 at 16:17

Ayan Chakraborty

613
1
8
13

Again, changing the variable name has no effect on this. And if I manually put the title in a variable and then escape_attr, it works. it doesn't work in $_POST – Cristi Macovei Dec 09 '16 at 16:32
If your title is set you can get data with this code echo esc_attr( $title ); – Ayan Chakraborty Dec 09 '16 at 16:44

WordPress esc_attr returns empty string

3 Answers3

Next Steps

Nope, the problem is still happening.

Yes, the problem is gone

Now what?