What is best practice when escaping the_title()?

You would use it like this:

<?php the_title(); ?>

the_title is responsible for its own escaping, much like the_content. It’s the same with any filters that try to use it, they should perform escaping on anything they add.

In fact, I can run JS such as alert(“test”); if I place that in the post title.

This is because you are either a super admin on a multisite or an administrator role on a non-multisite, these gain the unfiltered_html bypassing all sanitising on save. This is why you can put raw script tags in posts, other users cannot, and this capability is disabled on a lot of enterprise hosts as it’s a security concern. I recommend that you disable/remove it, though be aware that if you as a super admin depend on it, a non-super admin who tries to save that post will find the title/content sanitised and your tags disappear when they save as they won’t have that capability.

Having said that, it has nothing to do with escaping, your title could contain script tags, and escaping would still print them, but the tags would be escaped and they would be visible to people reading them on the frontend rather than executed/seen as actual tags.

So instead:

  • Use the_title() as is, to directly output the title
  • Or, if you’re concerned that the user has the unfiltered_html capability, use echo esc_html( get_the_title(

Note though that the title is used in many other places though such as OEmbed and SEO tags, as well as the title tag, it may be easier to eliminate the unfiltered_html capability, and I recommend you do this if only as a security measure.

I have tried (1) <?php esc_html(the_title('<h1>','</h1>'))?>

This failed for multiple reasons that have nothing to do with WordPress but highlight missing information about PHP basics

  1. There’s no echo! So if it worked it wouldn’t print anything
  2. the_title does not return a value by default, it outputs directly

This means that the code is the same as this:

echo esc_html('');
the_title('<h1>','</h1>');

Also tried (2) <h1><?php echo esc_html(the_title);</h1> with the same result

This is better as it includes an echo but you’ve asked it to escape the function itself, not the posts title, this is almost equivalent to this:

echo esc_html( function the_title() { .... } );

Which will likely result in a PHP warning like this:

Warning: Uncaught Error: Object of class Closure could not be converted to string in...

Important things to note for the future:

  • Check first but a general rule of thumb is that the_... will output directly without an echo, and get_the or get_ requires an echo statement and an escaping function.
  • Functions beginning with the_ tend to do their own escaping internally
  • Don’t double escape! esc_html( esc_html( is very bad and can let stuff leak through if it’s crafted right
  • calling a function involves () somewhere, you can’t apply escaping like a modifier or buff by calling escape(function_name)
  • escape as late as you possibly can, ideally at the moment of output
  • avoid gathering HTML bits in a variable then printing it at the end, it makes it super super hard to escape stuff properly
  • don’t escape input, that’s what sanitising and validating are for, escaping is only for output
  • Do not try to use esc_js and esc_sql they don’t do what they appear to do and have very specific internal uses. wpdb->prepare should cover all SQL related escaping, and wp_json_encode can prepare data for javascript so you don’t have to construct it out of strings when showing the page

Related Posts:

  1. esc_url not working within add_settings_field callback
  2. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  3. What is the safe way to print tracking code / pixel code before tag or tag
  4. How to escape html generate by a loop
  5. How to escape multiple attribute at once in WordPress?
  6. Is there any solution, ide/tool etc., for automatic escaping for WordPress?
  7. How to safely return the HTML?
  8. Correct form of escaping and localization – functions.php breadcrumbs
  9. wp_kses allow checkbox class and checked
  10. how can I add an icon/image for a child theme?
  11. Caching and Versioning for rtl.css
  12. Getting instance variable in scope of ‘wp_enqueue_scripts’
  13. How to change admin bar color scheme in MP6 / WP 3.8 front end?
  14. Google Maps not displaying in wordpress using Google Maps Javascript API
  15. When to use esc_url, esc_html, esc_attr, and friends?
  16. What is the purpose of an extra file for translation?
  17. How to enqueue scripts and styles only when there are needed?
  18. Unexpected width and srcset attributes for the_post_thumbnail();
  19. Pushing updates to your premium theme
  20. The best way to add stylesheets to WordPress
  21. WordPress custom post type page dysplay 404 error
  22. How wordpress handle upload images and how to use them in the code
  23. Change loop order via form or link (jquery, not URL)
  24. how to create theme based widget that can be drop in sider bar or footer
  25. CSS in child theme not overriding the parent theme [closed]
  26. How to add dynamic inline style?
  27. Optimal solution to develop a wordpress theme?
  28. Change display of featured image for pages in twenty seventeen theme
  29. How to test for MU via functions.php?
  30. List categories and exclude child categories
  31. WordPress Gutenberg Theme: Structure, Hierarchy and Custom Templates
  32. Am I supposed to create a child theme for every theme I use?
  33. Custom shortcodes not working using __s theme
  34. Disable wp_enqueue_style for theme on wp-admin
  35. Widget items disappearing
  36. Add submenus to Theme options menu
  37. Custom URL parameters in template files
  38. How to add new args data in $wp_customize->add_setting?
  39. wp_post->post_parent object returning 0
  40. Customizer: Unique identifier that distinguishes which image upload control is uploading an image
  41. Theme Splash Image within the “Appearance -> Themes” control panel [duplicate]
  42. display menu with out list tags
  43. Disabling automatic teasers
  44. Can “Recent Posts” widget be filtered by functions.php?
  45. attachment.php code or tutorial
  46. How to filter or remove the “title” attribute from category links
  47. Remove CPT slug from URL WordPress
  48. Custom get_the_excerpt() only works on first post
  49. Permanently activate WordPress theme
  50. How can I add custom text styles to the visual text editor?
  51. Getting Different Size Of Attachment Images
  52. 2 loops, is_home won’t work, count is off
  53. how to remove the gallery shortcode in wordpress?
  54. What PNG Fix script do you recommend for IE6?
  55. How to show specific post meta?
  56. Show for a particular page ID only title and short summary
  57. wpautop on section
  58. Are seven additional image sizes are too many?
  59. registering a global template wordpress 6.0
  60. How do I use wp_nav_menu?
  61. How to add InnerBlock multiple times in the same block
  62. Assign custom classes to the divs inside the loop
  63. How to clean up the theme for production?
  64. Proper way to move a Bootstrap site to WordPress [closed]
  65. Theme development: How to add CSS classes to menu items?
  66. How to conditionally add a wp_filter
  67. HTTP Error when uploading images over specific dimensions
  68. custom Background not showing after upgrade?
  69. How do I assign a particular post to a particular page in WordPress?
  70. Rolling your own WordPress Themes
  71. PHP Parse error: syntax error, unexpected ‘endwhile’ (T_ENDWHILE), expecting elseif (T_ELSEIF) or else (T_ELSE) or endif (T_ENDIF) on line 124
  72. how use ajax to custom page template
  73. Posts Page shows Classic Editor interface not Gutenberg
  74. Comment Form Development Issue
  75. Removing element from DOM with jquery through plugin Custom Scripts for Customizer
  76. hide theme files for admin beneath root
  77. How to load jQuery with Ajax in WP version 5.3.2?
  78. Does any JavaScript file load automatically for index.php file?
  79. WordPress menu walker – Get parent item text inside end_lvl function
  80. Display content on Single page
  81. WordPress Ajax Spitting out a page as a response?
  82. Filter URL and shortcodes from the_excerpt
  83. Check if redirected from a specific page template
  84. Postname permalink page not found error
  85. After theme change the menus have to be manually linked to the corresponding theme location
  86. What’s the policy for building a theme that doesn’t support widgets/menus?
  87. Incorporate zilla shortcode into theme
  88. Passing a location-dependent array via wp_localize_script within a shortcode
  89. Import/Export WordPress demo
  90. Global Navigation menu in diiferrent wordpress setups
  91. getting id of page
  92. How to make a sticky footer?
  93. How can i display a 4 diferent themplate for the archive page
  94. How To add li class and a class wp_nav_menu() with bootstrap 5 navbar?
  95. Full site editing templates folder vs block-templates
  96. How can a theme define which settings for blocks are available in the block editor?
  97. How to enable wc_add_to_cart_message?
  98. Export WordPress theme with modifications for other site
  99. How to Use Webpack with WordPress Script Modules and Enqueue a Custom Class
  100. Which is recommended to learn first: classic themes or block themes?
techhipbettruvabetnorabahisbahis forumutaraftarium24edusedusedueduedusedusedusedueduedu