What function can I use consistently to escape possible HTML for editing and display?

I’m very new to WP, and from following books and online examples, I have several different ‘esacping’ functions in my first plugin. I would like to know if there is one function, or a minimal set of functions, I can use to prevent malicious HTML stored in my DB from doing anything bad. I would, however, always like to store text exactly as it is captured, and only sanitize it when presenting it.

Related posts

Leave a Reply

1 comment

  1. Well, I would start with the one called esc_html().

    EDIT

    Longer answer:

    You should perform sanitization on input, and escaping on output.

    To sanitize HTML content on input, I would use one of the kses() family of filters – particularly, wp_kses_post(), which will filter all but the HTML tags allowed via the Post Editor.

    To escape HTML content on output, I would use esc_html(), which escapes HTML blocks for output.