esc_attr( string $text )

Escaping for HTML attributes.


Description Description


Parameters Parameters

$text

(string) (Required)


Top ↑

Return Return

(string)


Top ↑

Source Source

File: wp-includes/formatting.php

function esc_attr( $text ) {
	$safe_text = wp_check_invalid_utf8( $text );
	$safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
	/**
	 * Filters a string cleaned and escaped for output in an HTML attribute.
	 *
	 * Text passed to esc_attr() is stripped of invalid or special characters
	 * before output.
	 *
	 * @since 2.0.6
	 *
	 * @param string $safe_text The text after it has been escaped.
 	 * @param string $text      The text prior to being escaped.
	 */
	return apply_filters( 'attribute_escape', $safe_text, $text );
}

Top ↑

Changelog Changelog

Changelog
Version Description
2.8.0 Introduced.

Top ↑

More Information More Information

Encodes the <, >, &, ” and ‘ (less than, greater than, ampersand, double quote and single quote) characters. Will never double encode entities.

Always use when escaping HTML attributes (especially form values) such as alt, value, title, etc. To escape the value of a translation use esc_attr__() instead; to escape, translate and echo, use esc_attr_e().


Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note content
    Contributed by J.D. Grimes

    It is important to always use quotes around your attribute’s value when it is being escaped with esc_attr(). Otherwise, your code will still be vulnerable to XSS.

    <!-- This is correct: -->
    <input type="text" name="fname" value="<?php echo esc_attr( $fname ); ?>">
    
    <!-- This is *not* correct: -->
    <input type=text name=fname value=<?php echo esc_attr( $fname ); ?>>
    
  2. Skip to note content
    Contributed by J.D. Grimes

    When escaping the values of attributes that accept URIs (like href and src), it is important to pass the value through esc_url(). If you only use esc_attr(), the code may still be vulnerable to XSS. (Note also, that when using esc_url(), you don’t need to also use esc_attr().)

    <!-- This is correct: -->
    <img src="<?php echo esc_url( $src ); ?>" />
    
    <!-- This is OK, but the esc_attr() is unnecessary: -->
    <img src="<?php echo esc_attr( esc_url( $src ) ); ?>" />
     
    <!-- This is *not* correct: -->
    <img src="<?php echo esc_attr( $src ); ?>" />
    

    More info:

You must log in before being able to contribute a note or feedback.