I am echoing the thumbnail image of a post.
If necessary, how should wp_get_attachment_image() and/or its parameters be escaped? Should any of the parameters "medium-large-thumbnail", false and $attributes be escaped too?
<?php
$thumbnail_ID = get_post_thumbnail_id();
$attributes = ['class' => 'post-and-page-thumbnail'];
echo wp_get_attachment_image(esc_html($thumbnail_ID), "medium-large-thumbnail", false, $attributes);
?>
I am echoing the thumbnail image of a post.
If necessary, how should wp_get_attachment_image() and/or its parameters be escaped? Should any of the parameters "medium-large-thumbnail", false and $attributes be escaped too?
<?php
$thumbnail_ID = get_post_thumbnail_id();
$attributes = ['class' => 'post-and-page-thumbnail'];
echo wp_get_attachment_image(esc_html($thumbnail_ID), "medium-large-thumbnail", false, $attributes);
?>
TLDR: No parameters need to escaped.
The below assumes no third-party code hooked into any filters run by the wp_get_attachment_image() function or sub-function calls:
$attachment_id (parameter 1)This is used to get the attachment post and reference it in other functions. This parameter is not used in direct output and thus does not need to be escaped.
$size (parameter 2)This is used in the class attribute of the <img> tag (if class attribute is not defined by parameter 4, $attr:
$size_class = $size;
if ( is_array( $size_class ) ) {
$size_class = implode( 'x', $size_class );
}
$default_attr = array(
'src' => $src,
'class' => "attachment-$size_class size-$size_class",
The output of these attributes are then escaped in the function by the line:
$attr = array_map( 'esc_attr', $attr );
$icon (parameter 3)This parameter is only used to be passed to a child call to wp_get_attachment_image_src(). In this function, the $icon parameter is only used as a boolean check. Thus, this parameter is not used in direct output or unguarded SQL queries and thus does not need to be escaped.
$attr (parameter 4)wp_get_attachment_image() adds some extra attributes for optimizations and such. These are merged into $attr. The attributes are then escaped in the function by the line:
$attr = array_map( 'esc_attr', $attr );
You can escape the function using wp_kses_post, e.g.:
echo wp_kses_post(
wp_get_attachment_image( $thumbnail_ID, "medium-large-thumbnail", false, $attributes )
);
Note that wp_kses_post is a little different to other functions such as esc_html since it strips out date rather than mangling it to conform to expectations. In the strictest sense it isn't an escaping function but it serves the same purpose for content that should be safe to insert into a posts content.
Note this might suggest to you that wp_kses might be a good way to escape arbitrary tags but this leads to major mistakes such as calling wp_kses with iframes and script tags in the allow list which is not secure and defeats the entire point.
Also note that you would never use an escaping function on a function parameter though, and in your example esc_html($thumbnail_ID) is fundamentally incorrect, the purpose of esc_html is to enforce the expectation that it is a string that does not contain HTML, but we are neither printing non-HTML strings or passing strings, we're passing a thumbnail ID which is a number so absint (int) or intval would be more appropriate as escaping, but again we don't escape values going into function parameters, escaping is for outputs, not inputs, and it only happens once.