esc_html()
escapes a string so that it is not parsed as HTML. Characters like <
are converted to <
, for example. This will look the same to the reader, but it means that if the value being output is <script>
then it won’t be interpreted by the browser as an actual script tag.
Use this function whenever the value being output should not contain HTML.
esc_attr()
escapes a string so that it’s safe to use in an HTML attribute, like class=""
for example. This prevents a value from breaking out of the HTML attribute. For example, if the value is "><script>alert();</script>
and you tried to output it in an HTML attribute it would close the current HTML tag and open a script tag. This is unsafe. By escaping the value it won’t be able to close the HTML attribute and tag and output unsafe HTML.
Use this function when outputting a value inside an HTML attribute.
esc_url()
escapes a string to make sure that it’s a valid URL.
Use this function when outputting a value inside an href=""
or src=""
attribute.
esc_textarea()
escapes a value so that it’s safe to use in a <textarea>
element. By escaping a value with this function it prevents a value being output inside a <textarea<
from closing the <textarea>
element and outputting its own HTML.
Use this function when outputting a value inside a <textarea>
element.
esc_html()
and esc_attr()
also have versions ending in __()
, _e()
and _x()
. These are for outputting translatable strings.
WordPress has functions, __()
, _e()
and _x()
, for outputting text that can be translated. __()
returns a translatable string, _e()
echoes a translatable string, and _x()
returns a translatable string with a given context. You’ve probably seen them before.
Since you can’t necessarily trust a translation file to contain safe values, using these functions when outputting a translatable string ensures that the strings being output can’t cause the same issue described above.
Use these functions when outputting translatable strings.