All output should be run through an escaping function in WordPress


To escape output in PHP within WordPress, you can use the esc_html() function to convert special characters to their HTML entities. This is useful for preventing XSS (Cross-Site Scripting) attacks by ensuring that any user-provided data is properly sanitized before being outputted to the webpage.

Here’s an example of how to use esc_html():

<?php
    $my_variable = "This is <strong>bold</strong> text.";
    echo esc_html($my_variable);
?>

In the example above, the output will be:

This is &lt;strong&gt;bold&lt;/strong&gt; text.

As you can see, the <strong> tag has been converted to &lt;strong&gt; to prevent it from being interpreted as HTML by the browser.

Note that other escaping functions are available in WordPress, such as URLs. You should choose the appropriate function based on the context in which you use the output.

URL Escaping Functions

In WordPress, escaping URLs is important to ensure proper rendering and prevent security vulnerabilities such as cross-site scripting (XSS). Several functions are available in WordPress to escape URLs depending on the context in which they are used. Here are some commonly used functions:

  1. esc_url(): This function is the recommended method for escaping URLs in most cases. It performs several checks to ensure the URL is properly formed and safe. It returns a cleaned and validated URL. Example usage: echo esc_url($url);
  2. esc_url_raw(): This function is similar to esc_url(), but it does not perform as many checks or validations. It is useful when you are confident about the URL’s safety and want to avoid unnecessary overhead. Example usage: echo esc_url_raw($url);
  3. esc_url_secure(): This function is specifically designed for escaping URLs in secure contexts where only secure URLs are allowed, such as in an HTTPS environment. It validates the URL and ensures it uses the HTTPS protocol. Example usage: echo esc_url_secure($url);
  4. esc_url_protocols(): This function is used to specify allowed protocols for URLs. It is often used in conjunction with esc_url() to restrict the URL to specific protocols. Example usage: echo esc_url($url, esc_url_protocols('http', 'https'));

Remember to always use the appropriate escaping function depending on the context where the URL is being output. This helps prevent potential security risks and ensures WordPress correctly renders the URL.

Need to escape other kinds of things?

  1. esc_html(): Escapes any text data that is output into HTML.
  2. esc_html__() and esc_html_e(): These are internationalization functions that escape the translated strings.
  3. esc_attr(): Escapes text data that is output into an HTML attribute.
  4. esc_attr__() and esc_attr_e(): These are internationalization functions that escape the translated strings that are output into an HTML attribute.
  5. esc_textarea(): Escapes any text data that is output into a textarea element.
  6. esc_js(): This function is used to escape text data that is to be used in a JavaScript block.
    • Please note that as of my knowledge cutoff in September 2021, the esc_js() function is not meant to be used to escape an entire HTML block of JavaScript, but rather to escape individual JavaScript DATA values that are to be included within SCRIPT tags or event-handler attributes.

If you need to allow some tags through, have a look at the wp_kses() function.

If you want to allow just a normal amount of HTML through, check out the WordPress wp_kses_post() function.