Should HTML output be passed through esc_html() AND wp_kses()?

The general rule, at least as espoused by Mark Jaquith, is sanitize on input, escape on output (the corollary to this rule being sanitize early, escape late).

So: use sanitization filters (such as the kses() family) when storing untrusted data in the database, and use escaping filters (i.e. the esc_*() family) when outputting untrusted data in the template.

Related Posts:

  1. why is esc_html() returning nothing given a string containing a high-bit character?
  2. What characters do I need to escape in XML documents?
  3. What characters must be escaped in HTML 5?
  4. How can I selectively escape percent (%) in Python strings?
  5. How do I escape a single quote in jQuery?
  6. Escape Character in SQL Server
  7. How to escape apostrophe (‘) in MySql?
  8. How to prevent escaping when saving HTML code in an option value?
  9. Escaping and sanitizing SVGs in metabox textarea
  10. Sanitize and data validation with apply_filters() function
  11. What’s the difference between esc_* functions?
  12. How to correctly escape query variables to be used in WP_Query
  13. How to escape custom css?
  14. esc_attr / esc_html / esc_url in echos
  15. When do I need to use esc_html()? [duplicate]
  16. Escaping WP_Query tax_query when term has special character(s)
  17. what’s different between esc_attr, htmlspecialchars and htmlentities
  18. Allow all attributes in $allowedposttags tags
  19. When outputting a static string to the page, is it necessary to escape the output?
  20. Escape hexadecimals/rgba values
  21. How Flexible are the WordPress Coding Standards for PHPCS?
  22. Sanitizing comments or escaping comment_text()
  23. How to properly escape a translated string?
  24. Must I serialize/sanitize/escape array data before using set_transient?
  25. Sanitizing, Validating and Escaping in WordPress (Plugin)
  26. How Could I sanitize the receive data from this code
  27. How to sanitize user input?
  28. Which escape function to use when escaping an email or plain text?
  29. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  30. What is the safe way to print tracking code / pixel code before tag or tag
  31. Translate a Constant while appeasing WordPress PHPCS
  32. Using esc_url() on a url more than once
  33. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  34. How to allow &nbsp with wp_kses()?
  35. Using esc_attr_e
  36. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  37. Escaping crashes my output
  38. How to escape html generate by a loop
  39. How to safely escape the title attribute
  40. Do we need to escape data that we receive from theme options?
  41. How to safely escape data that contains HTML attributes
  42. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  43. Echoing a URL to a link
  44. wp_kses_post escaping doesn’t appear to work as described?
  45. file_get_contents | escaping doesnt show the page
  46. Help about Escaping
  47. How to keep specific tag from an html string?
  48. How to use wp_filter_oembed_result?
  49. Escaping WP_Query tax_query when term has special character(s)
  50. Escaping and sanitization
  51. Escaping WP_Query tax_query when term has special character(s)
  52. Escaping Issues
  53. Escaping and Special Characters (e.g. &)
  54. Escaping data from database (users table) is necessary?
  55. Escaping get_option( ‘time_format’ ) is nesserary?
  56. esc_url, esc_url_raw or sanitize_url?
  57. how to sanitizing $_POST with the correct way?
  58. How should esc_url be combined with trailingslashit?
  59. Correct way of using esc_attr() and esc_html()
  60. esc_html don’t work on variable but do work on pasted text
  61. How to Git stash pop specific stash in 1.8.3?
  62. What are all the escape characters?
  63. Uses for the ‘"’ entity in HTML
  64. How can I add ” character to a multi line string declaration in C#?
  65. Illegal Escape Character “\”
  66. Escape quotes in JavaScript
  67. Which characters need to be escaped when using Bash?
  68. Escape string Python for MySQL
  69. what is a good method to sanitize the whole $_POST array in php?
  70. How is \\n and \\\n interpreted by the expanded regular expression?
  71. Why shouldn’t `'` be used to escape single quotes?
  72. What does it mean to escape a string?
  73. Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
  74. Escaping HTML strings with jQuery
  75. What’s the Use of ‘\r’ escape sequence?
  76. How do I use spaces in the Command Prompt?
  77. How do I escape ampersands in XML so they are rendered as entities in HTML?
  78. Unrecognized escape sequence for path string containing backslashes
  79. With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
  80. Is sanitize_title enough to generate post slugs?
  81. What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
  82. Should I escape wordpress functions like the_title, the_excerpt, the_content
  83. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  84. wordpress sanitize array?
  85. Data sanitization: Best Practices with code examples
  86. Should I sanitize an email address before passing it to the is_email() function?
  87. How safe / sanitized is wp_insert_posts()?
  88. Best Practice for PHP
  89. When to use esc_html and when to use sanitize_text_field?
  90. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  91. How to safely sanitize a textarea which takes full HTML input
  92. What is the difference between esc_html filter vs attribute_escape filter?
  93. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  94. Difference between esc_url() and esc_url_raw()
  95. How to print translation supported text with HTML URL
  96. Custom page with variables in url. Nice url with add_rewrite_rule
  97. Which WP functions do you need to use esc_html() or esc_url() on?
  98. Sanitize content from wp_editor
  99. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  100. What to use instead of wp_kses() in user output

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)