You can read plenty of information about the importance of escaping information in WordPress via the Codex. If you’re new to the topic, I highly recommend it.
If you need a refresher, or are looking for a short description for why this is necessary, consider this the working definition:
For security on the other end of the spectrum, we have escaping. To escape is to take the data you may already have and help secure it prior to rendering it for the end user.
Clear enough, right? And WordPress offers plenty of functions to help with this.
How do we know which one to use, though?
Escaping Data in WordPress
First, I think it’s important for every WordPress developer to understand sanitization and escaping. It provides security for our users.
This is a topic that’s covered in the Codex and that you’re going to come across if you have work reviewed. But that’s a longer topic for another post.
In the meantime, check out Tom Nowell‘s small web application Escaping. It’s an instant bookmark.
As the site describes:
Test your content below with every sanitiser and escaper in WordPress.
This enables you to provide whatever data you’d be escaping in your WordPress project, and see how the various API functions will return it to the browser.
Yes, there are times to use some functions over other functions, but that’s beyond the scope of this point. Instead, take note of what will rendered, ensure it’s what you expect, and make sure you use the proper API function in your work.
Escaping Data in WordPress (And Why It’s Important) was written by Tom. For more information about WordPress, development, and resources then visit Tom McFarlin’s blog.
Read more here:: Escaping Data in WordPress (And Why It’s Important)