I would suggest using esc_html
instead of esc_attr
for that, e.g.
<a href="https://wordpress.stackexchange.com/questions/185318/<?php echo esc_url( $url );?>" class="<?php echo esc_attr( $classes ); ?>">
<?php echo esc_html( $title ); ?>
</a>
<div>
<?php echo wp_kses_post( $html_with_safe_tags );?>
</div>
<script>
<?php echo wp_json_encode( $data_for_js ); ?>
</script>
There is also:
esc_html__
esc_attr__
etc ( escape translations too! )esc_js
– escape strings for javascript e.g.console.log(<?php echo esc_js($var); ?>);
esc_url_raw
when redirecting, use this insteadesc_sql
esc_textarea
sanitize_text_field
- Whitelisting values
- type casting with
(int)
orabsint
- and others