I’m very new to WP, and from following books and online examples, I have several different ‘esacping’ functions in my first plugin. I would like to know if there is one function, or a minimal set of functions, I can use to prevent malicious HTML stored in my DB from doing anything bad. I would, however, always like to store text exactly as it is captured, and only sanitize it when presenting it.
What function can I use consistently to escape possible HTML for editing and display?
Well, I would start with the one called
esc_html().EDIT
Longer answer:
You should perform sanitization on input, and escaping on output.
To sanitize HTML content on input, I would use one of the
kses()family of filters – particularly,wp_kses_post(), which will filter all but the HTML tags allowed via the Post Editor.To escape HTML content on output, I would use
esc_html(), which escapes HTML blocks for output.