I have submitted a plugin to the WordPress repo, they have come back and said I need to escape the values in my email sending code NOT sanitize. So I’m confused what function they want me to use. Can you provide advice on the best escape function I should use for an email
and plain text
?
Existing code they want me to escape and not sanitize:
$message = "
...
<li><strong>Email:</strong> " . sanitize_email($_REQUEST['email']) . "</li>
<li><strong>Name: </strong> " . sanitize_text_field($_REQUEST['name']) . "</li>
...
";
$emailResult = wp_mail("foo@bar.com", "Support Request", $message, array('Content-Type: text/html; charset=UTF-8') );
There’s no esc_email()
or esc_text()
function. So is the below correct to escape an email and plain text?
<li><strong>Email:</strong> " . esc_html($_REQUEST['email']) . "</li>
<li><strong>Name: </strong> " . esc_textarea($_REQUEST['name']) . "</li>