wp_kses
You could use wp_kses to define specific html-tag/attribute combinations to be permitted in the escaped output.
$allowed_html = [
'div' => [
'class' => [],
],
];
echo wp_kses( '<div class="whatever">hey</div>', $allowed_html );
wp_kses_post
You could use wp_kses_post. It’s a pretty heavy function to use for such a purpose, but it is a valid way to escape your output.
<div <?php echo wp_kses_post('class="whatever"'); ?> >hey</div>
Related Posts:
- What characters do I need to escape in XML documents?
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- Escape Character in SQL Server
- How to escape apostrophe (‘) in MySql?
- Should HTML output be passed through esc_html() AND wp_kses()?
- How to prevent escaping when saving HTML code in an option value?
- How to correctly escape query variables to be used in WP_Query
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Allow all attributes in $allowedposttags tags
- When outputting a static string to the page, is it necessary to escape the output?
- How Flexible are the WordPress Coding Standards for PHPCS?
- why is esc_html() returning nothing given a string containing a high-bit character?
- How to properly escape a translated string?
- Translate a Constant while appeasing WordPress PHPCS
- Using esc_url() on a url more than once
- Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
- How to allow   with wp_kses()?
- Using esc_attr_e
- Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
- Escaping crashes my output
- How to safely escape the title attribute
- Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
- Echoing a URL to a link
- wp_kses_post escaping doesn’t appear to work as described?
- file_get_contents | escaping doesnt show the page
- Help about Escaping
- How to keep specific tag from an html string?
- Escaping Issues
- Escaping and Special Characters (e.g. &)
- Escaping get_option( ‘time_format’ ) is nesserary?
- How should esc_url be combined with trailingslashit?
- Correct way of using esc_attr() and esc_html()
- How to Git stash pop specific stash in 1.8.3?
- What are all the escape characters?
- Illegal Escape Character “\”
- Which characters need to be escaped when using Bash?
- What does it mean to escape a string?
- Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
- How do I use spaces in the Command Prompt?
- With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
- Best Practice for PHP
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- Escaping and sanitizing SVGs in metabox textarea
- Difference between esc_url() and esc_url_raw()
- What to use instead of wp_kses() in user output
- How to escape custom css?
- How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
- Escaping WP_Query tax_query when term has special character(s)
- Do I need to escape data passed to wp_localize_script()?
- Should messages in WP_Error already be html escaped?
- Do you need to escape hard coded plain text?
- Escaping built-in WP function return strings
- How do I stop HTML entities in a custom meta box from being un-htmlentitied?
- Why should I escape translatable strings? and how shall i do that?
- esc_url not working within add_settings_field callback
- Do I need to use the esc_html() function on hard coded links?
- Prevent add_shortcode from escaping a tag
- Sanitizing comments or escaping comment_text()
- Prevent escaping javascript in visual editor
- How Could I sanitize the receive data from this code
- Quotes being escaped inside wp_editor when saved with wp_kses_post
- When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
- Escape post image attachments added to template
- wp_query not searching with apostrophe
- Which escape function to use when escaping an email or plain text?
- Is it safe and good practice to use do_shortcode to escape?
- Base64 & JSON Encode array in PHP, use as HTML data attribute, decode and parse in JavaScript …. with proper Escaping
- Something is unescaping all html entities before output to browser [closed]
- Securing/Escaping Output of file content – reading via fread() in PHP
- WordPress stripping away backslashes from HTML
- How to escape html generate by a loop
- How to escape multiple attribute at once in WordPress?
- HTML escaping data with ajax requests
- Add HTML to Term Description
- should I escape a literal url added in functions.php
- Is there any solution, ide/tool etc., for automatic escaping for WordPress?
- How to allow single quote with esc_html__() without sprintf()
- Proper way to use esc_html__ and esc_attr__ etc for escaping value for translation
- Wrapping add_query_arg with esc_url not working
- ACF Unexpected T_CONSTANT_ENCAPSED_STRING [closed]
- How to pass an array as attribute of shortcode to work properly shortcode parser?
- How to correctly escape an echo
- Escaping a WPDB Object in One Shot
- How to make MySQL search queries with quotes
- Escaping WP_Query tax_query when term has special character(s)
- Escape html structure in php
- site_url() returns with additional backslashes
- Code auto escaping is not working when using short codes
- Allow iframe in custom meta box
- problem with quotes on new post
- Escaping data from database (users table) is necessary?
- esc_url, esc_url_raw or sanitize_url?
- how to sanitizing $_POST with the correct way?
- how to escape alert/window.location.replace with variable
- What is best practice when escaping the_title()?
- If necessary, how should wp_get_attachment_image() and its parameters be escaped?