Title: esc_js
Published: April 25, 2014
Last modified: February 24, 2026

---

# esc_js( string $text ): string

## In this article

 * [Description](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#description)
 * [Parameters](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#parameters)
 * [Return](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#return)
 * [More Information](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#more-information)
 * [Source](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#source)
 * [Hooks](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#hooks)
 * [Related](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#related)
 * [Changelog](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#changelog)
 * [User Contributed Notes](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#user-contributed-notes)

[ Back to top](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#wp--skip-link--target)

Escapes single quotes, `"`, , `&`, and fixes line endings.

## 󠀁[Description](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#description)󠁿

Escapes text strings for echoing in JS. It is intended to be used for inline JS (
in a tag attribute, for example `onclick="..."`). Note that the strings have to 
be in single quotes. The [‘js_escape’](https://developer.wordpress.org/reference/hooks/js_escape/)
filter is also applied here.

## 󠀁[Parameters](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#parameters)󠁿

 `$text`stringrequired

The text to be escaped.

## 󠀁[Return](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#return)󠁿

 string Escaped text.

## 󠀁[More Information](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#more-information)󠁿

See [Data Validation](https://developer.wordpress.org/plugins/security/data-validation/)
for more information on escaping and sanitization.

## 󠀁[Source](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#source)󠁿

    ```php
    function esc_js( $text ) {
    	$safe_text = wp_check_invalid_utf8( $text );
    	$safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
    	$safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
    	$safe_text = str_replace( "\r", '', $safe_text );
    	$safe_text = str_replace( "\n", '\\n', addslashes( $safe_text ) );
    	/**
    	 * Filters a string cleaned and escaped for output in JavaScript.
    	 *
    	 * Text passed to esc_js() is stripped of invalid or special characters,
    	 * and properly slashed for output.
    	 *
    	 * @since 2.0.6
    	 *
    	 * @param string $safe_text The text after it has been escaped.
    	 * @param string $text      The text prior to being escaped.
    	 */
    	return apply_filters( 'js_escape', $safe_text, $text );
    }
    ```

[View all references](https://developer.wordpress.org/reference/files/wp-includes/formatting.php/)
[View on Trac](https://core.trac.wordpress.org/browser/tags/6.9.4/src/wp-includes/formatting.php#L4661)
[View on GitHub](https://github.com/WordPress/wordpress-develop/blob/6.9.4/src/wp-includes/formatting.php#L4661-L4679)

## 󠀁[Hooks](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#hooks)󠁿

 [apply_filters( ‘js_escape’, string $safe_text, string $text )](https://developer.wordpress.org/reference/hooks/js_escape/)

Filters a string cleaned and escaped for output in JavaScript.

## 󠀁[Related](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#related)󠁿

| Uses | Description | 
| [wp_check_invalid_utf8()](https://developer.wordpress.org/reference/functions/wp_check_invalid_utf8/)`wp-includes/formatting.php` |

Checks for invalid UTF8 in a string.

  | 
| [_wp_specialchars()](https://developer.wordpress.org/reference/functions/_wp_specialchars/)`wp-includes/formatting.php` |

Converts a number of special characters into their HTML entities.

  | 
| [apply_filters()](https://developer.wordpress.org/reference/functions/apply_filters/)`wp-includes/plugin.php` |

Calls the callback functions that have been added to a filter hook.

  |

[Show 1 more](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#)
[Show less](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#)

| Used by | Description | 
| [wp_default_packages_vendor()](https://developer.wordpress.org/reference/functions/wp_default_packages_vendor/)`wp-includes/script-loader.php` |

Registers all the WordPress vendor scripts that are in the standardized `js/dist/vendor/` location.

  | 
| [WP_Customize_Site_Icon_Control::content_template()](https://developer.wordpress.org/reference/classes/wp_customize_site_icon_control/content_template/)`wp-includes/customize/class-wp-customize-site-icon-control.php` |

Renders a JS template for the content of the site icon control.

  | 
| [WP_Links_List_Table::handle_row_actions()](https://developer.wordpress.org/reference/classes/wp_links_list_table/handle_row_actions/)`wp-admin/includes/class-wp-links-list-table.php` |

Generates and displays row action links.

  | 
| [Bulk_Upgrader_Skin::before()](https://developer.wordpress.org/reference/classes/bulk_upgrader_skin/before/)`wp-admin/includes/class-bulk-upgrader-skin.php` |

Performs an action before a bulk update.

  | 
| [Bulk_Upgrader_Skin::after()](https://developer.wordpress.org/reference/classes/bulk_upgrader_skin/after/)`wp-admin/includes/class-bulk-upgrader-skin.php` |

Performs an action following a bulk update.

  | 
| [Bulk_Upgrader_Skin::error()](https://developer.wordpress.org/reference/classes/bulk_upgrader_skin/error/)`wp-admin/includes/class-bulk-upgrader-skin.php` |

Displays an error message about the update.

  | 
| [_thickbox_path_admin_subfolder()](https://developer.wordpress.org/reference/functions/_thickbox_path_admin_subfolder/)`wp-admin/includes/ms.php` |

Prints thickbox image paths for Network Admin.

  | 
| [wp_save_image()](https://developer.wordpress.org/reference/functions/wp_save_image/)`wp-admin/includes/image-edit.php` |

Saves image to post, along with enqueued changes in `$_REQUEST['history']`.

  | 
| [iframe_header()](https://developer.wordpress.org/reference/functions/iframe_header/)`wp-admin/includes/template.php` |

Generic Iframe header for use with Thickbox.

  | 
| [WP_Themes_List_Table::display_rows()](https://developer.wordpress.org/reference/classes/wp_themes_list_table/display_rows/)`wp-admin/includes/class-wp-themes-list-table.php` |

Generates the list table rows.

  | 
| [wp_iframe()](https://developer.wordpress.org/reference/functions/wp_iframe/)`wp-admin/includes/media.php` |

Outputs the iframe to display the media upload page.

  | 
| [link_submit_meta_box()](https://developer.wordpress.org/reference/functions/link_submit_meta_box/)`wp-admin/includes/meta-boxes.php` |

Displays link create form fields.

  | 
| [Custom_Image_Header::js_1()](https://developer.wordpress.org/reference/classes/custom_image_header/js_1/)`wp-admin/includes/class-custom-image-header.php` |

Displays JavaScript based on Step 1 and 3.

  | 
| [dismissed_updates()](https://developer.wordpress.org/reference/functions/dismissed_updates/)`wp-admin/update-core.php` |

Display dismissed updates.

  | 
| [js_escape()](https://developer.wordpress.org/reference/functions/js_escape/)`wp-includes/deprecated.php` |

Escape single quotes, specialchar double quotes, and fix line endings.

  | 
| [sanitize_term_field()](https://developer.wordpress.org/reference/functions/sanitize_term_field/)`wp-includes/taxonomy.php` |

Sanitizes the field value in the term based on the context.

  | 
| [WP_Admin_Bar::_render_item()](https://developer.wordpress.org/reference/classes/wp_admin_bar/_render_item/)`wp-includes/class-wp-admin-bar.php` |  | 
| [sanitize_user_field()](https://developer.wordpress.org/reference/functions/sanitize_user_field/)`wp-includes/user.php` |

Sanitizes user field based on context.

  | 
| [sanitize_post_field()](https://developer.wordpress.org/reference/functions/sanitize_post_field/)`wp-includes/post.php` |

Sanitizes a post field based on context.

  | 
| [sanitize_bookmark_field()](https://developer.wordpress.org/reference/functions/sanitize_bookmark_field/)`wp-includes/bookmark.php` |

Sanitizes a bookmark field.

  | 
| [wp_print_media_templates()](https://developer.wordpress.org/reference/functions/wp_print_media_templates/)`wp-includes/media-template.php` |

Prints the templates used in the media manager.

  |

[Show 16 more](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#)
[Show less](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#)

## 󠀁[Changelog](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#changelog)󠁿

| Version | Description | 
| [2.8.0](https://developer.wordpress.org/reference/since/2.8.0/) | Introduced. |

## 󠀁[User Contributed Notes](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#user-contributed-notes)󠁿

 1.   [Skip to note 3 content](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#comment-content-1747)
 2.    [Weston Ruter](https://profiles.wordpress.org/westonruter/)  [  10 years ago  ](https://developer.wordpress.org/reference/functions/esc_js/#comment-1747)
 3.  [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fesc_js%2F%23comment-1747)
     Vote results for this note: 2[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fesc_js%2F%23comment-1747)
 4.  I don’t really see the value of using `esc_js()` anymore. If you really have to
     do an inline script attribute, you may want to consider the following example 
     with `wp_json_encode()` and `esc_attr()`, which seems easier to read and maintain:
 5.      ```php
         <?php
         $onfocus = sprintf( 
         	'if ( %s === this.value ) { this.value = ""; }',
         	wp_json_encode( $instance['input_text'] )
         );
         $onblur = sprintf(
         	'if ( "" === this.value ) { this.value = %s; }',
         	wp_json_encode( $instance['input_text'] )
         );
         ?>
         <input id="subbox" type="text" name="email"
         	value="<?php echo esc_attr( $instance['input_text'] ); ?>"
         	onfocus="<?php echo esc_attr( $onfocus ); ?>"
         	onblur="<?php echo esc_attr( $onblur ); ?>" />
         ```
     
 6.  But in actuality, this specific example doesn’t need any PHP in its script attributes
     at all. The following should have the same result, thanks to the `defaultValue`
     property on the `HTMLInputElement` interface:
 7.      ```php
         <input id="subbox" type="text" name="email"
         	value="<?php echo esc_attr( $instance['input_text'] ); ?>"
         	onfocus="if ( this.defaultValue === this.value ) { this.value = ''; }"
         	onblur="if ( '' === this.value ) { this.value = this.defaultValue; }" />
         ```
     
 8.   * But for the sake of filters, you should use `esc_js()` where javascript is 
        using the value. You see when you use `esc_attr()`, the output is filtered 
        with `attribute_escape`. But for `esc_js()`, output is filtered with `js_escape`
        hook. So other plugins can know it’s being escaped for js usage.
      * [Sohan Zaman](https://profiles.wordpress.org/sohan5005/) [7 years ago](https://developer.wordpress.org/reference/functions/esc_js/#comment-3043)
 9.   [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fesc_js%2F%3Freplytocom%3D1747%23feedback-editor-1747)
 10.  [Skip to note 4 content](https://developer.wordpress.org/reference/functions/esc_js/?output_format=md#comment-content-1160)
 11.   [Codex](https://profiles.wordpress.org/codex/)  [  10 years ago  ](https://developer.wordpress.org/reference/functions/esc_js/#comment-1160)
 12. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fesc_js%2F%23comment-1160)
     Vote results for this note: -1[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fesc_js%2F%23comment-1160)
 13. **Example**
 14. Example of an input tag within a form displayed on the front-end of the site, 
     generated from a widget. The first php segment is using esc_attr as it is an html
     attribute of input, while the next php segments is using esc_js within inline 
     JavasSript.
 15.     ```php
         <input type="text" value="<?php echo esc_attr( $instance['input_text'] ); ?>" id="subbox" onfocus="if ( this.value == '<?php echo esc_js( $instance['input_text'] ); ?>') { this.value = ''; }" onblur="if ( this.value == '' ) { this.value = '<?php echo esc_js( $instance['input_text'] ); ?>'; }" name="email" />
         ```
     
 16.  If you’re not working with inline JS in HTML event handler attributes, a more
     suitable function to use is [wp_json_encode()](https://developer.wordpress.org/reference/functions/wp_json_encode/),
     which is built-in to WordPress. ([wp_json_encode()](https://developer.wordpress.org/reference/functions/wp_json_encode/)
     includes the string-delimiting quotes for you):
 17.     ```php
         var title = <?php echo wp_json_encode( $instance['title'] ) ?>;
         ```
     
 18.  [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fesc_js%2F%3Freplytocom%3D1160%23feedback-editor-1160)

You must [log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fesc_js%2F)
before being able to contribute a note or feedback.