Securing Output

Securing output is the process of escaping output data.

Escaping means stripping out unwanted data, like malformed HTML or script tags.

Whenever you’re rendering data, make sure to properly escape it. Escaping output prevents XSS (Cross-site scripting) attacks.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Escaping Escaping

Escaping helps securing your data prior to rendering it for the end user. WordPress has a few helper functions you can use for most common scenarios.

  • esc_html() – Use this function anytime an HTML element encloses a section of data being displayed.
  • esc_url() – Use this function on all URLs, including those in the src and href attributes of an HTML element.
  • esc_js()– Use this function for inline Javascript.
  • esc_attr() – Use this function on everything else that’s printed into an HTML element’s attribute.

Most WordPress functions properly prepare data for output, so you don’t need to escape the data again. For example, you can safely call the_title() without escaping.

Top ↑

Escaping with Localization Escaping with Localization

Rather than using echo to output data, it’s common to use the WordPress localization functions, such as _e() or __().

These functions simply wrap a localization function inside an escaping function:

esc_html_e( 'Hello World', 'text_domain' );
// same as
echo esc_html( __( 'Hello World', 'text_domain' ) );

These helper functions combine localization and escaping:

Top ↑

Custom Escaping Custom Escaping

In the case that you need to escape your output in a specific way, the function wp_kses() (pronounced “kisses”) will come in handy.

This function makes sure that only the specified HTML elements, attributes, and attribute values will occur in your output, and normalizes HTML entities.

$allowed_html = [
    'a'      => [
        'href'  => [],
        'title' => [],
    'br'     => [],
    'em'     => [],
    'strong' => [],
echo wp_kses( $custom_content, $allowed_html );

wp_kses_post() is a wrapper function for wp_kses where $allowed_html is a set of rules used by post content.

echo wp_kses_post( $post_content );