Escaping
Escaping converts special characters in output to their safe HTML entity equivalents, preventing browsers from interpreting data as executable code.
How it works
Escaping is the last line of defense against XSS. It must happen at the point of output, using the function that matches the output context. Even if data was sanitized on input, it should still be escaped on output — defense in depth.
In WordPress
Use esc_html() in HTML body, esc_attr() in attributes, esc_url() in href/src, esc_js() in inline JS, and wp_kses_post() when you need to allow some HTML tags. For translated strings, use the combined functions: esc_html_e(), esc_attr__(), etc.
Code example
// HTML body
echo '<p>' . esc_html($text) . '</p>';
// Attribute
echo '<input value="' . esc_attr($value) . '">';
// URL
echo '<a href="' . esc_url($link) . '">';
// Translated + escaped
esc_html_e('Save Settings', 'my-plugin');
Related terms
WP HealthKit checks for Escaping-related vulnerabilities automatically
Run a Free Audit