escaping – How to safely escape data that contains HTML attributes

Question

wp_kses

You could use wp_kses to define specific html-tag/attribute combinations to be permitted in the escaped output.

$allowed_html = [
  'div' => [
    'class' => [],
  ],
];

echo wp_kses( '<div class="whatever">hey</div>', $allowed_html );

wp_kses_post

You could use wp_kses_post. It’s a pretty heavy function to use for such a purpose, but it is a valid way to escape your output.

<div <?php echo wp_kses_post('class="whatever"'); ?> >hey</div>

0
Alvaro Franz 6 months 2022-06-11T15:34:55-05:00 0 Answers 0 views 0

Leave an answer

Browse
Browse