What’s a safe / good way to output HTML safely within WordPress templates?

It depends on the context. In a template you’d just echo it:

<div>
    <?php echo parse_html_for_images(); ?>
</div>

In a function you might want to concatenate it with something else:

function wpse_303376_thumbnail() {
    return '<div>' . parse_html_for_images() . '</div>';
}

In a shortcode callback with lots other markup you might want to use output buffering, since shortcodes require you return the entire output:

function wpse_303376_shortcode() {
    ob_start();

    echo '<div>';
    echo parse_html_for_images();
    echo '</div>';

    return ob_get_clean();
}

Escaping is an entirely separate issue, and is about ensuring unsafe data, like user input, can’t do anything malicious or break your markup. For example, you might want to escape the thumbnail URL in your function to ensure it’s a URL and not a script tag:

function parse_html_for_images() {
    return '<img src="' . esc_url( thumbnail_url() ) . '">';
}

But there’s no point escaping HTML that you have hard-coded into the template or function, since it’s predictable.

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. Should nonce be sanitized?
  7. esc_url removes white space. Can I change that to using ‘-‘?
  8. WP Coding standards – escaping the inescapable?
  9. Sanitatizing when using the posts_where hook
  10. Escape hexadecimals/rgba values
  11. Must I serialize/sanitize/escape array data before using set_transient?
  12. Echo JavaScript Safely
  13. wp_kses ignore allowed and allow everything
  14. Sanitize array callback for the WordPress Settings API
  15. How to escape $_GET and check if isset?
  16. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  17. Sanitizing output that contains quotes?
  18. WP_Customize_Manager: How to get control ID
  19. How to use wp_filter_oembed_result?
  20. Sanitization html output itself
  21. Post text sanitization after publishing/editing – changes are not saved
  22. wp_set_object_terms() without accents
  23. Escaping data from database (users table) is necessary?
  24. Properly sanitize an input field “Name “
  25. How safe / sanitized is wp_insert_posts()?
  26. Sanitize content from wp_editor
  27. What’s the difference between esc_* functions?
  28. Sanitizing integer input for update_post_meta
  29. Which KSES should be used and when?
  30. Is sanitize_text_field() is enough to save to DB?
  31. Escaping quotes from shortcode attributes
  32. How to sanitize select box values in post meta?
  33. WP doesn’t show Array Custom Fields?
  34. Do Cookies Need to be Sanatized Before Being Saved?
  35. What is the difference between strip_tags and wp_filter_nohtml_kses?
  36. how to sanitize checkbox input?
  37. Sanitizing post content for use in an email
  38. How to get input_attrs in the sanitize function?
  39. What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?
  40. I’m confused about URL sanitization in meta boxes
  41. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  42. where to apply “apply filters” and other Sanitization Functions
  43. How to save html and text in the database?
  44. Is default functions like update_post_meta safe to use user inputs?
  45. vs WordPress Security
  46. Cannot get ‘sanitize_callback’ to work for rest parameters
  47. Who is responsible for data sanitization in WordPress development?
  48. How to sanitize user input?
  49. How to sanitize my cookie name
  50. Do We Need to Validate, Sanitize, or Filter Simple Numerical Superglobals (Cookies and Post)?
  51. MITM risk of not sanitizing?
  52. Which escape function to use when escaping an email or plain text?
  53. WordPress Settings API – Sanitize Integer
  54. CSS from textarea in options page to frontend what to do
  55. How to get rid of shortcodes in post content once and for all
  56. Is wp_kses the right approach in sanitizing this string?
  57. Seeking clarity on data sanitization fields for settings textarea
  58. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  59. How to use sanitize_callback?
  60. Unable to sanitize in customizer and escape in theme without removing ability for user to use “< br >” to insert a line break
  61. Are all hooks/functions tied to Kses meant for sanitization?
  62. sanitize_text_field and apostrophe problem
  63. Getting error to display radio button value in General Settings page
  64. What data sanitzation function should be used to store entire source code of webpage?
  65. Escaping date string in url with wordpress
  66. What functions does WordPress use for filtering / sanitizing comments?
  67. wordpress is adding a second backslash when I use addslashes
  68. WordPress messes up with data attributes in shortcode output
  69. textarea field is getting escaped for some unknown reason
  70. Do we need to escape data that we receive from theme options?
  71. Input sanitation
  72. Sanitize user input fields before wp_insert_post
  73. How WordPress sanitizes post content on save? Or it doesn’t?
  74. Function sanitize_title() does not appear to be working
  75. Restrict characters in comment section
  76. Toggle Shortcode Sanitize Title
  77. How to use checked() function with multiple check box group? How to properly sanitize that checkbox group?
  78. How to allow arbitrary inline CSS in posts?
  79. how to sanitize customizer checkbox control
  80. Trouble matching strings (titles) using wp_query
  81. Sanitize WordPress Array Input?
  82. How to save Checkbox-Options in Plugin Options Page
  83. Customizer textarea with script tag won’t work in live preview
  84. do I need to sanitize a shortcode’s function input?
  85. Data not displaying in text field
  86. Array/List Edit in Backend
  87. Escaping and sanitization
  88. Escaping WP_Query tax_query when term has special character(s)
  89. Proper Way to Sanitize Meta Input
  90. Comparing pre-saved post_title to post-saved post_title
  91. Save selectlist value (taxonomy) in wp:wp_set_object_terms
  92. Settings api sanatize callback not being triggered
  93. Auto post with filling templates from external data and update periodical
  94. Notice: Undefined index: in options-framework.php
  95. Sanitizing a custom query’s clauses
  96. Customizer sanitize_callback for input type number
  97. How to use esc_attr__() function properly to translate a variable that contains string?
  98. How can I properly sanitize the update_option in WordPress?
  99. How to return responsive images from a sanitize_callback?
  100. how to sanitizing $_POST with the correct way?