esc_attr() on hard coded string

I am going through some example code from the codex for creating a widget ( . Below is the code for creating a label and input field for an admin widget form :

<label for=”<?php echo esc_attr( $this->get_field_id( ‘title’ ) ); ?>”><?php esc_attr_e( ‘Title:’, ‘text_domain’ ); ?></label>
<input class=”widefat” id=”<?php echo esc_attr( $this->get_field_id( ‘title’ ) ); ?>” name=”<?php echo esc_attr( $this->get_field_name( ‘title’ ) ); ?>” type=”text” value=”<?php echo esc_attr( $title ); ?>”>

I understand esc_attr() will escape html and make it proper for it to be used as an HTML attribute value . However , what I fail to understand is why would you use esc_attr() in the above cases when everything is hard coded ? I would think esc_attr would be used for user entered data .

For eg in the below code why is the label value being escaped even though a fixed string of ‘Title’ is being passed to it ? or the value for ‘for’ being escaped when we are passing a fixed string $this->get_field_id( ‘title’ ) to it ?

<label for=”<?php echo esc_attr( $this->get_field_id( ‘title’ ) ); ?>”><?php esc_attr_e( ‘Title:’, ‘text_domain’ ); ?></label>

Read more here:: esc_attr() on hard coded string

Leave a Reply

Your email address will not be published. Required fields are marked *