Need help for escapes in wordpress

wordpress

#1

Hi i need a little guidance to understand escaping in wordpress.

If i save a value like my name Ateeq in some field to backend of wordpress, in customizer, or metaboxes. and when i try to get that value for output. and if i esc_html this value,

it will not let html work as it should. So when i need a user to save some html like in footer they should save anchor links with their website name. How do i escape it. So html work normally.

If i remove esc_html everything is great. but reviewer need me to escape everything before output.

I would be very thankful for any help thanks.


#2

use esc_attr for displaying html - https://developer.wordpress.org/reference/functions/esc_attr/

esc_html is for removing html


#3

Take a look at wp_kses function: https://codex.wordpress.org/Function_Reference/wp_kses


#4

Thanks for your reply esc`_attr remove html and double qouotes, equal signs, and many more special characters as well. the correct answer is wp_kses function by passing a list of allowed HTML tags. Thanks for your response.


#5

Thanks, yes that’s correct answer, i already found that 2 days ago :slight_smile: Thanks for your response!


#6

Use wp_kses if you know what html tags not remove, use wp_kses_post($string) if don’t know what will be the html of input and you want only escape the value and render all without remove any html tag (note that both two remove style attribute background-image)


#7

Thank you! wp_kses_post is good for HTML :slight_smile: Without worrying about allowed_html in wp_kses.