wp_kses
You could use wp_kses
to define specific html-tag/attribute combinations to be permitted in the escaped output.
$allowed_html = [
'div' => [
'class' => [],
],
];
echo wp_kses( '<div class="whatever">hey</div>', $allowed_html );
wp_kses_post
You could use wp_kses_post
. It’s a pretty heavy function to use for such a purpose, but it is a valid way to escape your output.
<div <?php echo wp_kses_post('class="whatever"'); ?> >hey</div>
Related Posts:
- What characters do I need to escape in XML documents?
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- Escape Character in SQL Server
- How to escape apostrophe (‘) in MySql?
- Should HTML output be passed through esc_html() AND wp_kses()?
- How to prevent escaping when saving HTML code in an option value?
- How to correctly escape query variables to be used in WP_Query
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Allow all attributes in $allowedposttags tags
- When outputting a static string to the page, is it necessary to escape the output?
- How Flexible are the WordPress Coding Standards for PHPCS?
- why is esc_html() returning nothing given a string containing a high-bit character?
- How to properly escape a translated string?
- Translate a Constant while appeasing WordPress PHPCS
- Using esc_url() on a url more than once
- Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
- How to allow   with wp_kses()?
- Using esc_attr_e
- Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
- Escaping crashes my output
- How to safely escape the title attribute
- Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
- Echoing a URL to a link
- wp_kses_post escaping doesn’t appear to work as described?
- file_get_contents | escaping doesnt show the page
- Help about Escaping
- How to keep specific tag from an html string?
- Escaping Issues
- Escaping and Special Characters (e.g. &)
- Escaping get_option( ‘time_format’ ) is nesserary?
- How to Git stash pop specific stash in 1.8.3?
- What are all the escape characters?
- Which characters need to be escaped when using Bash?
- Escape string Python for MySQL
- How do I use spaces in the Command Prompt?
- With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
- Best Practice for PHP
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- Escaping and sanitizing SVGs in metabox textarea
- Difference between esc_url() and esc_url_raw()
- Which WP functions do you need to use esc_html() or esc_url() on?
- What’s the difference between esc_* functions?
- What to use instead of wp_kses() in user output
- How to escape custom css?
- How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
- PHP Coding Standards, Widgets and Sanitization
- Should messages in WP_Error already be html escaped?
- When do I need to use esc_attr when using WordPress internal functions
- Disable escaping html
- Do you need to escape hard coded plain text?
- Escaping built-in WP function return strings
- How do I stop HTML entities in a custom meta box from being un-htmlentitied?
- Why should I escape translatable strings? and how shall i do that?
- esc_url not working within add_settings_field callback
- Do I need to use the esc_html() function on hard coded links?
- How Could I sanitize the receive data from this code
- Should you escape hardcoded URLs?
- Quotes being escaped inside wp_editor when saved with wp_kses_post
- When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
- Escape post image attachments added to template
- wp_query not searching with apostrophe
- Which escape function to use when escaping an email or plain text?
- Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?
- Base64 & JSON Encode array in PHP, use as HTML data attribute, decode and parse in JavaScript …. with proper Escaping
- Something is unescaping all html entities before output to browser [closed]
- How to get my post title to work with an apostrophe (‘s)?
- Securing/Escaping Output of file content – reading via fread() in PHP
- WordPress stripping away backslashes from HTML
- esc_js() breaks unicode sequences by removing the slash ‘\’ character
- Unexpected esc_html and esc_attr behaviour
- HTML escaping data with ajax requests
- Allow HTML in Settings API input field
- Do we need to escape data that we receive from theme options?
- should I escape a literal url added in functions.php
- Why would you use esc_attr() on internal functions?
- How to allow single quote with esc_html__() without sprintf()
- How to safely return the HTML?
- Wrapping add_query_arg with esc_url not working
- wordpress post not showing my “” text>?
- Should I escape the html for the settings field created with add_settings_field?
- escape html in jQuery for WordPress
- echo cutom css code to WordPress page template file ? is this safe?
- Remove pre and code tags from WordPress
- Correct form of escaping and localization – functions.php breadcrumbs
- Escaping a Single Quote in str_replace for Nav Function
- wp_kses allow checkbox class and checked
- Escaping html for meta description
- How to make MySQL search queries with quotes
- Escaping WP_Query tax_query when term has special character(s)
- Escaping and sanitization
- Escaping WP_Query tax_query when term has special character(s)
- Escape html structure in php
- site_url() returns with additional backslashes
- How to display post meta data in secure manner
- Allow iframe in custom meta box
- Escaping admin_url output being passed to js (esc_js vs esc_url)