Securing output is the process of escaping output data.
Escaping means stripping out unwanted data, like malformed HTML or script tags.
Whenever you’re rendering data, make sure to properly escape it. Escaping output prevents XSS (Cross-site scripting) attacks.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Escaping helps securing your data prior to rendering it for the end user. WordPress has a few helper functions you can use for most common scenarios.
- esc_html() – Use this function anytime an HTML element encloses a section of data being displayed.
- esc_url() – Use this function on all URLs, including those in the
hrefattributes of an HTML element.
- esc_attr() – Use this function on everything else that’s printed into an HTML element’s attribute.
Most WordPress functions properly prepare data for output, so you don’t need to escape the data again. For example, you can safely call the_title() without escaping.
Escaping with Localization #Escaping with Localization
These functions simply wrap a localization function inside an escaping function:
esc_html_e( 'Hello World', 'text_domain' ); // same as echo esc_html( __( 'Hello World', 'text_domain' ) );
These helper functions combine localization and escaping:
Custom Escaping #Custom Escaping
In the case that you need to escape your output in a specific way, the function wp_kses() (pronounced “kisses”) will come in handy.
This function makes sure that only the specified HTML elements, attributes, and attribute values will occur in your output, and normalizes HTML entities.
$allowed_html = [ 'a' => [ 'href' => , 'title' => , ], 'br' => , 'em' => , 'strong' => , ]; echo wp_kses( $custom_content, $allowed_html );
wp_kses_post() is a wrapper function for wp_kses where
$allowed_html is a set of rules used by post content.
echo wp_kses_post( $post_content );