Using esc_attr_e

I would suggest using esc_html instead of esc_attr for that, e.g.

<a href="https://wordpress.stackexchange.com/questions/185318/<?php echo esc_url( $url );?>" class="<?php echo esc_attr( $classes ); ?>">
    <?php echo esc_html( $title ); ?>
</a>
<div>
    <?php echo wp_kses_post( $html_with_safe_tags );?>
</div>
<script>
    <?php echo wp_json_encode( $data_for_js ); ?>
</script>

There is also:

  • esc_html__ esc_attr__ etc ( escape translations too! )
  • esc_js – escape strings for javascript e.g. console.log(<?php echo esc_js($var); ?>);
  • esc_url_raw when redirecting, use this instead
  • esc_sql
  • esc_textarea
  • sanitize_text_field
  • Whitelisting values
  • type casting with (int) or absint
  • and others

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. What characters must be escaped in HTML 5?
  3. How can I selectively escape percent (%) in Python strings?
  4. How do I escape a single quote in jQuery?
  5. Escape Character in SQL Server
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. How to correctly escape query variables to be used in WP_Query
  10. esc_attr / esc_html / esc_url in echos
  11. When do I need to use esc_html()? [duplicate]
  12. what’s different between esc_attr, htmlspecialchars and htmlentities
  13. Allow all attributes in $allowedposttags tags
  14. When outputting a static string to the page, is it necessary to escape the output?
  15. How Flexible are the WordPress Coding Standards for PHPCS?
  16. why is esc_html() returning nothing given a string containing a high-bit character?
  17. How to properly escape a translated string?
  18. Translate a Constant while appeasing WordPress PHPCS
  19. Using esc_url() on a url more than once
  20. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  21. How to allow &nbsp with wp_kses()?
  22. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  23. Escaping crashes my output
  24. How to safely escape the title attribute
  25. How to safely escape data that contains HTML attributes
  26. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  27. Echoing a URL to a link
  28. wp_kses_post escaping doesn’t appear to work as described?
  29. file_get_contents | escaping doesnt show the page
  30. Help about Escaping
  31. How to keep specific tag from an html string?
  32. Escaping Issues
  33. Escaping and Special Characters (e.g. &)
  34. Escaping get_option( ‘time_format’ ) is nesserary?
  35. How should esc_url be combined with trailingslashit?
  36. Correct way of using esc_attr() and esc_html()
  37. Uses for the ‘"’ entity in HTML
  38. Illegal Escape Character “\”
  39. How is \\n and \\\n interpreted by the expanded regular expression?
  40. Why shouldn’t `'` be used to escape single quotes?
  41. What does it mean to escape a string?
  42. Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
  43. Escaping HTML strings with jQuery
  44. How do I escape ampersands in XML so they are rendered as entities in HTML?
  45. Unrecognized escape sequence for path string containing backslashes
  46. Should I escape wordpress functions like the_title, the_excerpt, the_content
  47. Best Practice for PHP
  48. What is the difference between esc_html filter vs attribute_escape filter?
  49. Sanitize and data validation with apply_filters() function
  50. Difference between esc_url() and esc_url_raw()
  51. How do translated, escaped strings (esc_attr) in Themes work?
  52. Escaping WP_Query tax_query when term has special character(s)
  53. Do I need to escape data passed to wp_localize_script()?
  54. How to escape html code with html allowed
  55. esc before saving or before displaying does it matter?
  56. Escaping built-in WP function return strings
  57. Updating a post without escaping ampersands?
  58. esc_url not working within add_settings_field callback
  59. Prevent add_shortcode from escaping a tag
  60. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  61. wp_specialchars and wp_specialchars_decode in a shortcode plugin
  62. Sanitizing comments or escaping comment_text()
  63. I am not understandinhg $wpdb->prepare correctly
  64. meta_query works locally but not on live server
  65. Prevent escaping javascript in visual editor
  66. Sanitizing, Validating and Escaping in WordPress (Plugin)
  67. Escape when echoed
  68. Quotes being escaped inside wp_editor when saved with wp_kses_post
  69. Should I always prefer esc_attr_e & esc_html_e instead of _e?
  70. Is it safe and good practice to use do_shortcode to escape?
  71. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  72. Is it necessary to escape LIKE term in WP_User_Query?
  73. Post Content, Special Characters and Filters
  74. WordPress stripping away backslashes from HTML
  75. Updating post data on save (save_post vs wp_insert_post_data)
  76. What is the safe way to print tracking code / pixel code before tag or tag
  77. mysql_real_escape_string() vs. esc_sql() in WordPress
  78. How to escape html generate by a loop
  79. HTML escaping data with ajax requests
  80. Add HTML to Term Description
  81. Is there any solution, ide/tool etc., for automatic escaping for WordPress?
  82. How to allow single quote with esc_html__() without sprintf()
  83. Proper way to use esc_html__ and esc_attr__ etc for escaping value for translation
  84. Wrapping add_query_arg with esc_url not working
  85. ACF Unexpected T_CONSTANT_ENCAPSED_STRING [closed]
  86. How to pass an array as attribute of shortcode to work properly shortcode parser?
  87. wordpress post not showing my “” text>?
  88. How to correctly escape an echo
  89. Escaping a WPDB Object in One Shot
  90. How to make MySQL search queries with quotes
  91. Escape html structure in php
  92. site_url() returns with additional backslashes
  93. Code auto escaping is not working when using short codes
  94. Allow iframe in custom meta box
  95. problem with quotes on new post
  96. Escaping data from database (users table) is necessary?
  97. Escaping admin_url output being passed to js (esc_js vs esc_url)
  98. how to escape alert/window.location.replace with variable
  99. Escaping inline JS correctly
  100. Is it necessary to use escape functions on everything or is it only necessary if you’re taking input from a 3rd party? (End Users, APIs, Etc.)