For the first example, a lot of people will use wp_kses_post to handle basic HTML output from wrapper functions. It’s a shortcut for some basic attributes and tags using wp_kses. You could use this function where you specify allowed tags and attributes that can pass through for the second example.
Related Posts:
- Sanitization html output itself
- Should I sanitize an email address before passing it to the is_email() function?
- Escaping and sanitizing SVGs in metabox textarea
- What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
- Reason for Lowercase usernames
- What is the best way to sanitize data?
- Should nonce be sanitized?
- esc_url removes white space. Can I change that to using ‘-‘?
- Sanitatizing when using the posts_where hook
- Escape hexadecimals/rgba values
- Correct processing of `$_POST`, following WordPress Coding Standards
- Must I serialize/sanitize/escape array data before using set_transient?
- Echo JavaScript Safely
- wp_kses ignore allowed and allow everything
- Sanitize array callback for the WordPress Settings API
- Why the WP Core team does not allow filter_* functions? [closed]
- How to escape $_GET and check if isset?
- What’s a safe / good way to output HTML safely within WordPress templates?
- Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
- Sanitizing output that contains quotes?
- WP_Customize_Manager: How to get control ID
- How to use wp_filter_oembed_result?
- Post text sanitization after publishing/editing – changes are not saved
- wp_set_object_terms() without accents
- Escaping data from database (users table) is necessary?
- Properly sanitize an input field “Name “
- what is a good method to sanitize the whole $_POST array in php?
- Data sanitization: Best Practices with code examples
- Why isn’t WordPress part of Framework Interop Group?
- How to safely sanitize a textarea which takes full HTML input
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- When to use Exceptions vs Error Objects vs just plain false/null
- WordPress and event-driven programming – what is it about?
- is_email() VS sanitize_email()
- What is the difference between esc_html and wp_filter_nohtml_kses?
- How to escape custom css?
- Escaping quotes from shortcode attributes
- How should I document function calls?
- Sanitation needed for WP_Query or get_posts calls?
- How to allow HTML tags into WP Bakery (formerly Visual Composer) `textfield` parameter
- Avoiding “Usage of a direct database call is discouraged”
- Nonce in settings API with tabbed navigation
- Default WordPress settings API data sanitization
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- Should I sanitize custom post meta if it is going to be escaped later?
- Remove tinyMCE from admin and replace with textarea
- wp_sanitize_redirect strips out @ signs (even from parameters) — why?
- I’m confused about URL sanitization in meta boxes
- Are we allowed to use the Allman (BSD) indent style when coding WordPress plugins and themes?
- Can I use namespaces in my plugin?
- Is default functions like update_post_meta safe to use user inputs?
- PHPCS: Strings should have translatable content
- How Could I sanitize the receive data from this code
- Assignments must be the first block of code on a line Validation Error on Travis
- Who is responsible for data sanitization in WordPress development?
- How to sanitize my cookie name
- Storing HTML in wp_options
- WordPress mode for emacs?
- What is the proper way to validate and sanitize JSON response from REST API?
- MITM risk of not sanitizing?
- Which escape function to use when escaping an email or plain text?
- Modify automatically generation of slug when term is created
- What function removes apostrophes when making a slug?
- How to sanitize uploaded file filename from a plugin?
- Is it better to create a function or a variable for current_theme_supports?
- Is wp_kses the right approach in sanitizing this string?
- Add comments for template variables
- Seeking clarity on data sanitization fields for settings textarea
- Prevent invalid or empty values from being saved to the database and retain the form field values upon error
- How to use sanitize_callback?
- Theme Customizier sanitize_callback not working
- Are all hooks/functions tied to Kses meant for sanitization?
- What data sanitzation function should be used to store entire source code of webpage?
- REQUIRED: Could not find wp_link_pages. See: wp_link_pages by Theme Checker
- What functions does WordPress use for filtering / sanitizing comments?
- Translate a Constant while appeasing WordPress PHPCS
- WordPress Theme Validator?
- data-type=”” … needed post tags stripped of characters
- wordpress is adding a second backslash when I use addslashes
- Understanding how the class family `inner-container` works
- confused about sanitize_email after is_email [duplicate]
- Do we need to escape data that we receive from theme options?
- Invalidate username if it contains @ symbol
- Contact Form Security
- Change user nicename without sanitize
- HTML in category name
- How could I better initialize a method from my class?
- Do I need to sanitize $_POST[‘keyword’] before send to ‘s’ parameter?
- Can non-latin characters appear in slugs?
- Data Validation & Sanitization for Big HTML Blocks
- I need to get the control choices to sanitize_callback
- Standard technique for AJAX post endpoint: WP REST or WP API?
- Escaping WP_Query tax_query when term has special character(s)
- PHP Code Sniffer – WordPress VIP Coding Standards
- Trouble creating custom sanitization function when uploading video files
- Sanitizing a custom query’s clauses
- How to return responsive images from a sanitize_callback?
- $wpdb->prepare referencing a const without a coding guideline warning
- esc_url, esc_url_raw or sanitize_url?
- how to sanitizing $_POST with the correct way?