When you want to output trusted html, use html_entity_decode. $orig = “I’ll \”walk\” the <b>dog</b> now”; $a = htmlentities($orig); $b = html_entity_decode($a); echo $a; // I’ll "walk" the <b>dog</b> now echo $b; // I’ll “walk” the <b>dog</b> now You can find more examples here.
To strip HTML tags and shortcodes, use a combination of PHP’s strip_tags ( http://php.net/manual/en/function.strip-tags.php ) and WordPress’s strip_shortcodes ( https://codex.wordpress.org/Function_Reference/strip_shortcodes ) $meta_des = strip_shortcodes( strip_tag( $des ) );
According to the codex, you should define your wp_kses list of allowed html elements as below with array() instead of true $allowed_html = array( ‘input’ => array( ‘type’ => array(), ‘name’ => array(), ‘value’ => array(), ‘checked’ => array() ), );
Escaping a Single Quote in str_replace for Nav Function
The general rule is that you should escape as close to the place of actual output as possible. The reason for that is that if your escape is far removed from output then you assume output to be escaped… Until at some point in the future something changes in the other corner of the file … Read more
Escaping a WPDB Object in One Shot
How to use wp_filter_oembed_result?
I had to ask to finally find the solution, lol. The wp_kses do exactly that: $allowed_tags = array( ‘a’ => array( ‘href’ => array(), ), ); $content=”<a href=”#”>link</a> <b>strong text</b>”; $content = wp_kses($content, $allowed_tags); I found the solution in another topic
Remove pre and code tags from WordPress
Here’s just a few examples of what escaping looks like: Escaping URLS: <?php echo esc_url( home_url() ); ?> Escaping Content <?php echo esc_html( get_the_title() ); ?> Escaping Attributes <?php echo esc_attr( $my_class ); ?> Escaping Content but keep HTML <?php echo wp_kses_post( get_the_content() ); ?> Escaping Emails <?php echo sanitize_email( $email_address ) ); ?> For … Read more