I’m very new to WP, and from following books and online examples, I have several different ‘esacping’ functions in my first plugin. I would like to know if there is one function, or a minimal set of functions, I can use to prevent malicious HTML stored in my DB from doing anything bad. I would, however, always like to store text exactly as it is captured, and only sanitize it when presenting it.
Leave a Reply
You must be logged in to post a comment.
Well, I would start with the one called
esc_html()
.EDIT
Longer answer:
You should perform sanitization on input, and escaping on output.
To sanitize HTML content on input, I would use one of the
kses()
family of filters – particularly,wp_kses_post()
, which will filter all but the HTML tags allowed via the Post Editor.To escape HTML content on output, I would use
esc_html()
, which escapes HTML blocks for output.