Late Escaping in WordPress

Late escaping is often seen as unnecessary. I remember when I used to think this:

“Why should I late escape something that I know is safe?”

Let’s examine the various parts of that statement.  The “I” really means not just me — the developer currently writing the code — but me at this current moment in time. While debugging old code, how often have you asked yourself who the “genius” who thought up some “clever” solution was only to realize you were the one who’d written it 6 months ago?

Late escaping future-proofs your code by making it easy to spot escaping. Otherwise, to check the security of it, you’d probably need to re-read all of the code surrounding it, check which functions are called, where the inputs come from, etc. It’s easier and less time-consuming to rely on late escaping instead.

The second part of this statement I want to examine is the “is safe” part. Safe in this context really means, “is not currently known to be insecure” with currently being the key word. The statement “the code is safe” is probably accurate at the point in time when you originally commit it. The problem is, code has a tendency to change. The function you’re calling that returns the “currently safe” code might change in the future. Or, the inputs to that function will change and be from a source you didn’t initially anticipate. That change could introduce user-provided data in a way you didn’t expect and end up being insecure. It’s safest to rely on late-escaping because it’s more resilient to unanticipated changes in the future.

I sometimes hear from developers who are worried that late escaping will hurt the performance of their site. Escaping — even with functions traditionally thought of as slow such as wp_kses_post() — is a drop in the bucket compared to one additional MySQL query on a site. If you take a look at this great post by Zack Tollman on the performance of wp_kses, you can see that older versions of PHP were a bit slow on long content. However, running wp_kses on longer content in PHP 7 and above* shows performance improvements similar to those of HHVM.

So you can rest easy — adding late escaping won’t slow down your site, and it offers many benefits:

  1. It’s easier to scan the code using PHPCS
  2. It’s easier to read during peer code review
  3. It’s more resilient to changes in other parts of the codebase
  4. Removes ambiguity and adds clarity for future code maintainers (including yourself!)
  5. Negligible performance impact


*For reference, WordPress VIP runs PHP 7 at a minimum


The economy is overrated

Someone once told me they didn’t bring back the cart at the shopping center because it “helps create jobs”. It’s a bit like we have accepted that there needs to be Bullshit Jobs.

A speech I’ve always liked is this one by Robert Kennedy:

It demonstates so well how the GDP and so many other measures of “success” are faulty.

Even the way we measure the economy is all wrong. This NYT article does a very good job of showing why even with a low unemployment rate and a high GDP we have so much inequality and suffering.

It reminds me a bit of vanity metrics (A metric that makes you feel good without telling you anything about your business). We have started to optimize our government policy for those vanity metrics. Instead of going to the root causes of what makes a great society we have metrics that, while initially well intentioned, have distracted us from the real goal.

Leaving behind the old metrics in search of better ones would be a good start. (until we end up corrupting those…)

Self-delusion on a national scale


“This was a self-delusion so complete that I could not see where it began and ended, could not root it out, could not destroy it.”

I really enjoyed the way the author describes their realizations, the way they explain that “dread” of realizing that so much of what we believe to be true is a lie.

It’s all just a sinusoidal function

While the most recent time the thought that the world was but a sinusoidal function happened when reading The Online Gig Economy’s ‘Race to the Bottom’ but really it applies to pretty much everything. While that article is about the economics and while I only have enough history knowledge to know about the parallels to the early 1900, I’m sure there are many more throughout history.

At first (around when I was 15) I thought it was actually just a circle. It was quite depressing. Humanity on a grand scale and us as humans just kept playing out our own little circles. Much like in Memento we helped ourselves along the way. Giving ourselves the justifications for our future actions. It was all quite depressing.

A few years later, and perhaps as a defense mechanism, I started seeing things as a sin function. Yes we were in a loop, but it was one that was globally trending upwards.

“The arc of the moral universe is long, but it bends toward justice.” – A few different folks, usually attributed to Martin Luther King (#)

Is one way I try to see it. While in this case it’s about humanity and helps me “accept” what’s going on in the world. (Just to be clear, I use the Buddhist interpretation of acceptance here, not resignation).

This is another one of those posts that I wish I had an answer. I wish I could close this with a straightforward answer to rally people around. An upbeat message. But I don’t have one. All I have is acceptance of the current reality and the part it plays in the greater picture.