Easier way to make sure all strings are escaped in WordPress themes

We all know we should escape all the strings in a theme. WordPress theme review guidelines require it, and so does Themeforest.

After working on a theme for a longer period of time, it’s quite possible that you’ve slipped somewhere with unescaped echoes. If you’re going commando on your own – you still need to escape every little thing and be twice as careful if there are no additional set of eyes on your code.

This has happened to me time and time again, and after about a 100 rejections on Themeforest (throughout all my theme submissions), I think it’s about time to start avoiding some of the rejection reasons. One of which is validation.

Searching for echo is just not going to cut it. In my code – that’s just too many lines to go over the code. On top of that – when searching for a simple echo, it’s easy to miss a problematic echo statement among all the wp_kses and esc_attr functions I’ve used.

And as always…

Regex to the rescue

I’m searching all files and folders with this pattern in phpStorm, but I bet this works in Sublime Text and probably Atom too:


This is going to search for all echo statements, that don’t contain kses, esc_, get_, sanitize.

I think I can ignore get_ functions because I trust WordPress to have already sanitized at least that content.

An important part is the \s before get_ and sanitize because  I may have written a function that has get or sanitize in the function name, and we don’t want to ignore those, so ignore them only if the function starts with a space character so that my prefixed dastheme_get_something() functions are not going to be ignored.

Finally – this is going to include all __() and _e() functions. If you find them, make sure you’ve properly sanitized them. You should be using esc_html__() instead anyway.

Starting to write again

We finally launched our website – Colormelon.

For too long we’ve been the shoemakers with no shoes. It was very difficult to find the time to design our own site – it seems that there are always better things to do!
Even right now, there is a huge pile of things we’d rather create than our website, but after years of making web designs for others, we decided that it was finally time we got a website too, or at least start the process of building our site.

As a part of the decision to launch our website, was that we wanted to build a blog for Photographers.


Writing for Change

We’ve seen too many sites spreading either incorrect information or purely profit oriented information, for example affiliate inspired hosting reviews. The only way to change things is by sharing unbiased information. At least that’s the first step, and that’s the step I never really took seriously, until recently. So we decided that we’re going to run a blog for Photographers over at Colormelon. Soon after I realized – writing is extremely hard.

Writing isn’t hard, Writing is a skill

Today I tweeted this:

and that really made me think – what if that’s only true, because for the past 10 years I’ve been writing code more than text? Maybe if I practice writing every day it might become a bit easier ?

So here it goes – I am going to write as much as I possibly can about everything I can think of. I don’t know where this journey is going to lead me, but I hope that when it’s all said and done that I end up changing the internet, and maybe the world – for the better.



Find all unescaped i18n strings in in WordPress

It turns out, that from now on, it’s a best practice to escape with esc_html__() instead of simply doing __() in your plugins and themes.

Replacing everything with esc_html() is a solution, but what about the __() in your code that already contain some minor code ( like a few wrapping spans here and there ) ?

Here is what I did:

1. Search and replace every __() with esc_html__() and _e() with esc_html_e()

2. Then find all the esc_html functions that have HTML in them

That’s going to show you all the esc_html__() and esc_html_e() that contains a “<” or “>” somewhere within. I use phpStorm to perform the search, and the above Regex works just fine for me.

3. Adjust your code so that the string no longer requires inline HTML

That’s it. You’re no longer a robot that has to manually go over each internationalized string.

Download a complete single page with wget

A simple way to download a complete page

Very much inspired by Guy Rutenberg,
I only modified the snippet slightly with -N, which validates timestamps and doesn’t download duplicated ( but does overwrite local files with the new changes ) and robots=off, so I wouldn’t download the robots.txt

A simple one-liner to convert all JavaScript to CoffeeScript

A simple one-liner to convert all JavaScript in a folder to CoffeeScript

First, make sure you have installed “js2coffee” ( and js2coffee.org is real cool for single files too ):

And then just paste this:

-it options modifies the spaces to tabs, remove it if you prefer spaces.


Picking values from an Array in WordPress

_.pick is great

Underscore.js has a lot of great stuff packed in it. One of the functions I love is pick, which lets you input some keys and get a new array from an Array.

Can’t pick in PHP

So today I wanted to find an alternative to Underscore’s _.pick for PHP, and I didn’t. It’s not a function that would be difficult to write, but that’s where WordPress comes in.

Can pick in WordPress

People at WordPress thought that it would be a nice helper for them too, so in WordPress 3.1 they added wp_array_slice_assoc.

The naming is a bit long, but the function is awesome anyway and the naming explains the purpose alright. Slice an array associativley ( that’s a big word ).

Here is how it works.

Imagine we have a some array like this one.

In this case the array is a mess, your array should never be a mess, but it might happen. In this case, I know I want only John and Jane in my array, so I can do this:

Tara. Now I have a new array “$persons” which has only john and jane.

How is this useful ?

Well, there are times where you would write something like this:

Which I think of an overkill, especially if you need like 10 variables. Of course you could extract from all of them

But what if the array has like 20 items. What happens when they clash? What if someone else modifies your code? I just don’t feel that blindly using extract is the best development pattern.

Along comes wp_array_slice_assoc()

Or a slightly more readable (based on preference) variant

That’s it.

Final Note

Please, please be careful extracting variables. And when you do, please document them, even if the documentation comes in the form of $keys_to_extract. Recently I had a very difficult time figuring out what is what because the author of a plugin pulled some weird variables out of nowhere and I had to run around var_dump’ing all over the place until I figured out what is what.

New Everything

New Design

Thanks to WP-SBVTLE I’ve got a nice theme for myself. I will probably make a couple of edits now and then, but finally I feel like writing.

The default WordPress Twenty Twelve (or thirteen) aren’t bad themes, but I just wanted something more like… well – like this.

New Host

I’m still in the process of moving, but I’m finally moving from Rackspace to WPEngine. I’ll post about that later on, but so far my experience with WPEngine has been truly amazing! They are awesome!

New Header Image

Well. Previously I didn’t have one, so theoretically it’s not new, but I’ll count it as new. I took the Elephant from The Noun Project, designed by Ted Mitchner.

New Writing style

Yes. This was a short post. I hope to keep writing nice little short posts to get into the habit of writing.