Escape HTML on WP input

The default text widget – WP_Widget_Text – can be found in wp-includes/default-widgets.php. The input is handled like this:

  • stripslashes( wp_filter_post_kses( addslashes( $text ) ) ); for the text;

I assume this should work likewise for your custom widget. Additionally there is:

  • wpautop( $text ) on the output, if the filter is set to do that;

But optimally you’re taking a look at the source yourself.

Additionally the codex articles:

give you an good overview about sanitizing, escaping and validating possibilities with WP.

tech