Help about Escaping

Here’s just a few examples of what escaping looks like:

Escaping URLS: 

<?php echo esc_url( home_url() ); ?>

Escaping Content

<?php echo esc_html( get_the_title() ); ?>

Escaping Attributes

<?php echo esc_attr( $my_class ); ?>

Escaping Content but keep HTML

<?php echo wp_kses_post( get_the_content() ); ?>

Escaping Emails

<?php echo sanitize_email( $email_address ) ); ?>

For more information about escaping, here’s a good resource on data sanitization.

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. What characters must be escaped in HTML 5?
  3. How can I selectively escape percent (%) in Python strings?
  4. How do I escape a single quote in jQuery?
  5. Escape Character in SQL Server
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. How to correctly escape query variables to be used in WP_Query
  10. esc_attr / esc_html / esc_url in echos
  11. When do I need to use esc_html()? [duplicate]
  12. what’s different between esc_attr, htmlspecialchars and htmlentities
  13. Allow all attributes in $allowedposttags tags
  14. When outputting a static string to the page, is it necessary to escape the output?
  15. How Flexible are the WordPress Coding Standards for PHPCS?
  16. why is esc_html() returning nothing given a string containing a high-bit character?
  17. How to properly escape a translated string?
  18. Translate a Constant while appeasing WordPress PHPCS
  19. Using esc_url() on a url more than once
  20. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  21. How to allow &nbsp with wp_kses()?
  22. Using esc_attr_e
  23. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  24. Escaping crashes my output
  25. How to safely escape the title attribute
  26. How to safely escape data that contains HTML attributes
  27. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  28. Echoing a URL to a link
  29. wp_kses_post escaping doesn’t appear to work as described?
  30. file_get_contents | escaping doesnt show the page
  31. How to keep specific tag from an html string?
  32. Escaping Issues
  33. Escaping and Special Characters (e.g. &)
  34. Escaping get_option( ‘time_format’ ) is nesserary?
  35. How should esc_url be combined with trailingslashit?
  36. Correct way of using esc_attr() and esc_html()
  37. Uses for the ‘"’ entity in HTML
  38. How can I add ” character to a multi line string declaration in C#?
  39. Escape quotes in JavaScript
  40. Escape string Python for MySQL
  41. How is \\n and \\\n interpreted by the expanded regular expression?
  42. Why shouldn’t `'` be used to escape single quotes?
  43. What’s the Use of ‘\r’ escape sequence?
  44. Unrecognized escape sequence for path string containing backslashes
  45. What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
  46. What is the difference between esc_html filter vs attribute_escape filter?
  47. How to print translation supported text with HTML URL
  48. Which WP functions do you need to use esc_html() or esc_url() on?
  49. What’s the difference between esc_* functions?
  50. How do translated, escaped strings (esc_attr) in Themes work?
  51. PHP Coding Standards, Widgets and Sanitization
  52. how to escape wp_oembed_get for phpcs
  53. When do I need to use esc_attr when using WordPress internal functions
  54. How to escape html code with html allowed
  55. Disable escaping html
  56. esc before saving or before displaying does it matter?
  57. Updating a post without escaping ampersands?
  58. Escape hexadecimals/rgba values
  59. Must I serialize/sanitize/escape array data before using set_transient?
  60. I am not understandinhg $wpdb->prepare correctly
  61. esc_attr not working in shortcode
  62. meta_query works locally but not on live server
  63. How do I escape a table name or column name in SQL? esc_sql doesn’t do this
  64. Escaping / encoding data before insert into a database?
  65. Escape when echoed
  66. Should you escape hardcoded URLs?
  67. How to sanitize user input?
  68. Should I always prefer esc_attr_e & esc_html_e instead of _e?
  69. Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?
  70. Does balanceTags() provide any escaping / protection?
  71. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  72. Is it necessary to escape LIKE term in WP_User_Query?
  73. How to get my post title to work with an apostrophe (‘s)?
  74. How to escape attachment image caption text?
  75. esc_js() breaks unicode sequences by removing the slash ‘\’ character
  76. Unexpected esc_html and esc_attr behaviour
  77. Allow HTML in Settings API input field
  78. Do we need to escape data that we receive from theme options?
  79. should I escape a literal url added in functions.php
  80. Why would you use esc_attr() on internal functions?
  81. How to allow single quote with esc_html__() without sprintf()
  82. How to safely return the HTML?
  83. Wrapping add_query_arg with esc_url not working
  84. wordpress post not showing my “” text>?
  85. Should I escape the html for the settings field created with add_settings_field?
  86. escape html in jQuery for WordPress
  87. echo cutom css code to WordPress page template file ? is this safe?
  88. Remove pre and code tags from WordPress
  89. Correct form of escaping and localization – functions.php breadcrumbs
  90. Escaping a Single Quote in str_replace for Nav Function
  91. wp_kses allow checkbox class and checked
  92. Escaping html for meta description
  93. Escaping and sanitization
  94. Escaping WP_Query tax_query when term has special character(s)
  95. How to display post meta data in secure manner
  96. Where is escaped the shortcode?
  97. Escaping a shortcode so it displays as-is [duplicate]
  98. Using `esc_attr( get_block_wrapper_attributes() )`, results in `class=””wp-block-foo””`
  99. Escaping admin_url output being passed to js (esc_js vs esc_url)
  100. Escaping inline JS correctly