How to escape $_GET and check if isset?

The proper way to do that is using filter_input(). Here is an example for using a custom sanitize function:

$tab = filter_input(
    INPUT_GET, 
    'tab', 
    FILTER_CALLBACK, 
    ['options' => 'esc_html']
);

$tab = $tab ?: 'front_page_options';

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. Should nonce be sanitized?
  7. esc_url removes white space. Can I change that to using ‘-‘?
  8. WP Coding standards – escaping the inescapable?
  9. Sanitatizing when using the posts_where hook
  10. Escape hexadecimals/rgba values
  11. Must I serialize/sanitize/escape array data before using set_transient?
  12. Echo JavaScript Safely
  13. wp_kses ignore allowed and allow everything
  14. Sanitize array callback for the WordPress Settings API
  15. What’s a safe / good way to output HTML safely within WordPress templates?
  16. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  17. Sanitizing output that contains quotes?
  18. WP_Customize_Manager: How to get control ID
  19. How to use wp_filter_oembed_result?
  20. Sanitization html output itself
  21. Post text sanitization after publishing/editing – changes are not saved
  22. wp_set_object_terms() without accents
  23. Escaping data from database (users table) is necessary?
  24. Properly sanitize an input field “Name “
  25. Is sanitize_title enough to generate post slugs?
  26. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  27. wordpress sanitize array?
  28. Should HTML output be passed through esc_html() AND wp_kses()?
  29. When to use esc_html and when to use sanitize_text_field?
  30. Sanitize and data validation with apply_filters() function
  31. Sanitize content from wp_editor
  32. Sanitize User Entered CSS
  33. Which KSES should be used and when?
  34. Settings API – sanitizing urls, email addresses and text
  35. Escaping WP_Query tax_query when term has special character(s)
  36. Does WordPress sanitize arguments to WP_Query?
  37. WP doesn’t show Array Custom Fields?
  38. Shortcode putting html such as
  39. How to properly sanitize strings without $wpdb->prepare?
  40. how to sanitize checkbox input?
  41. Sanitizing post content for use in an email
  42. Is there an equivalent of the PHP function sanitize_key in Gutenberg?
  43. How to get input_attrs in the sanitize function?
  44. What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?
  45. Sanitizing `wp_editor();` Values for Database, Edit, and Display
  46. Sanitizing search data for use with WP_Query
  47. How to sanitize post meta field value?
  48. where to apply “apply filters” and other Sanitization Functions
  49. How to save html and text in the database?
  50. Data Validation: Always escape late / escape HTML Code
  51. Multiple register settings, with same option name – issue
  52. Filter string like a slug
  53. Sanitize textarea instead of input
  54. Default WordPress taxonomy (Tag) – How to add a custom field to form and save it to the database
  55. Sanitizing, Validating and Escaping in WordPress (Plugin)
  56. vs WordPress Security
  57. Cannot get ‘sanitize_callback’ to work for rest parameters
  58. How to sanitize user input?
  59. Change filename during upload
  60. Why does wp_redirect strip out %0A (url encoded new line character) and how do I make it stop?
  61. wpdb get_results() and prepare when to use prepare?
  62. Preserve old values on error in setting API
  63. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  64. CSS from textarea in options page to frontend what to do
  65. How to get rid of shortcodes in post content once and for all
  66. Data sanitization for user registration and user login
  67. What is the safe way to print tracking code / pixel code before tag or tag
  68. Unable to sanitize in customizer and escape in theme without removing ability for user to use “< br >” to insert a line break
  69. sanitize_text_field and apostrophe problem
  70. Escaping date string in url with wordpress
  71. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  72. What’s the proper way to sanitize checkbox value sent to the database
  73. How to escape html generate by a loop
  74. Does meta-data need to be sanitized?
  75. Can A Post Meta Field Store multiple values that are not in an array?
  76. esc_attr on get_post_meta [closed]
  77. Using esc_url_raw with protocols properly
  78. Output Sanitation
  79. How to allow certain PHP functions when using sanitize_callback in the word press customizer
  80. Sanitize $_GET variable when comparing
  81. Function sanitize_title() does not appear to be working
  82. Sanitaizing Select Optin For Custom Post Type Metabox in WP
  83. How to handle complex data with Settings API
  84. Toggle Shortcode Sanitize Title
  85. settings api and the data passed in the parameter
  86. HTML Img with data:image src gets sanitized in admin?
  87. Sanitizing URL in a WordPress plugin
  88. how to sanitize customizer checkbox control
  89. do I need to sanitize a shortcode’s function input?
  90. Where is the HTML-handler part in the wpdb class?
  91. Form Sanitization and Validation
  92. Data not displaying in text field
  93. Proper Way to Sanitize Meta Input
  94. Sanitize html, where to sanitize
  95. Save selectlist value (taxonomy) in wp:wp_set_object_terms
  96. Notice: Undefined index: in options-framework.php
  97. How to use esc_attr__() function properly to translate a variable that contains string?
  98. oneOf two possible objects in WP REST API?
  99. How to return responsive images from a sanitize_callback?
  100. how to sanitizing $_POST with the correct way?