Escape HTML question


Some reviewer asking me to escape also vars that contain HTML generated by PHP like:

$menu_items .= "
  • " . esc_attr($arr[$i]) . "
  • "; echo $menu_items;

    How can I escape echo $menu_items?
    Thank you!


    You can use the wp_kses() function to filter the HTML string. More info here: :wink:


    Thank you, I know there is wp_kses, but this is not the correct method to use. wp_kses should be used only for filter some HTML value and remove the others, use it everytime is impossible, it generate a big downgrade of performance and no one in this planet do this.

    In general when I print HTML with PHP what I must to do? I mean that the core features of PHP is to manipulate the HTML, so build HTML code with PHP is one of the main and most used features of PHP, it is the basic core concept of every coding language for the web.

    So is impossible that every echo that render a html must be escaped with wp_kses. In all the world this is not escaped at all due must print arbitrary HTML, so I’m almost sure I must not escape it, but if I forced to escape anyway is there any other solution?

    Thank you


    esc_html not render the html, it convert html into text…anyway thank you for the answer!