Skip to main content
WP HealthKit

Escaping

Escaping converts special characters in output to their safe HTML entity equivalents, preventing browsers from interpreting data as executable code.

How it works

Escaping is the last line of defense against XSS. It must happen at the point of output, using the function that matches the output context. Even if data was sanitized on input, it should still be escaped on output — defense in depth.

In WordPress

Use esc_html() in HTML body, esc_attr() in attributes, esc_url() in href/src, esc_js() in inline JS, and wp_kses_post() when you need to allow some HTML tags. For translated strings, use the combined functions: esc_html_e(), esc_attr__(), etc.

Code example

// HTML body
echo '<p>' . esc_html($text) . '</p>';

// Attribute
echo '<input value="' . esc_attr($value) . '">';

// URL
echo '<a href="' . esc_url($link) . '">';

// Translated + escaped
esc_html_e('Save Settings', 'my-plugin');

WP HealthKit checks for Escaping-related vulnerabilities automatically

Run a Free Audit
WordPress Escaping Functions — esc_html, esc_attr, esc_url Explained | WP HealthKit