escaping - When do I need to use esc_html()?

This question already has answers here: What’s the difference between esc_html, esc_attr, esc_html_e, and so on? (2 answers) Closed 6 years ago.

When outputting data prior to rendering it, what is best practice in terms of when to use esc_html()? For example, what if my PHP template contains the following code:

<?php $title = "Contact"; ?>
<h1> <?php echo $title; ?> </h1>

Would I need to wrap $title in esc_html()? If the answer is 'no,' can you give me an example of when I would need to wrap $title in esc_html()? Assume there is no user input on the page in-question.

This Codex page seems to say 'yes,' a variable should be escaped with esc_html() anytime it is enclosed in an HTML element. But this page seems to indicate 'no', a variable should be escaped with esc_html() only if there is a chance the variable could text that could be interpreted as harmful/unexpected HTML (i.e. a dynamic variable, or user inputted variable).

Previous Stack Exchange Questions

I've seen the following Stack Exchange questions, which give some insight. But none have an accepted answer, so I was hoping to get one here. The replies in these questions indicate that the answer to my question is 'no,' esc_attr() is not needed in my particular case.

• Question 1 - The reply here simply says one doesn't need to esc_html() on hard coded URLs.
• Question 2 - The reply here indicates I need to esc_html(), "...anytime you are not 100% sure that what you want to output is a valid HTML for that context."
• Question 3 - This says, "don't bother to escape static strings, it's pointless."

This question already has answers here: What’s the difference between esc_html, esc_attr, esc_html_e, and so on? (2 answers) Closed 6 years ago.

When outputting data prior to rendering it, what is best practice in terms of when to use esc_html()? For example, what if my PHP template contains the following code:

<?php $title = "Contact"; ?>
<h1> <?php echo $title; ?> </h1>

Would I need to wrap $title in esc_html()? If the answer is 'no,' can you give me an example of when I would need to wrap $title in esc_html()? Assume there is no user input on the page in-question.

This Codex page seems to say 'yes,' a variable should be escaped with esc_html() anytime it is enclosed in an HTML element. But this page seems to indicate 'no', a variable should be escaped with esc_html() only if there is a chance the variable could text that could be interpreted as harmful/unexpected HTML (i.e. a dynamic variable, or user inputted variable).

Previous Stack Exchange Questions

I've seen the following Stack Exchange questions, which give some insight. But none have an accepted answer, so I was hoping to get one here. The replies in these questions indicate that the answer to my question is 'no,' esc_attr() is not needed in my particular case.

• Question 1 - The reply here simply says one doesn't need to esc_html() on hard coded URLs.
• Question 2 - The reply here indicates I need to esc_html(), "...anytime you are not 100% sure that what you want to output is a valid HTML for that context."
• Question 3 - This says, "don't bother to escape static strings, it's pointless."

• escaping

Share Improve this question edited Feb 7, 2019 at 6:33 cag8f asked Feb 6, 2019 at 12:18 cag8fcag8f 1,99733 gold badges2121 silver badges3131 bronze badges 2

• While none of the questions you indicated have an accepted answer, there are answers there. So it's just that the OPer did not bother to come back and mark one accepted. Tom's answer on the last one you indicated (and what Jacob marked as a duplicate) is a good one that tells you what you need to know - when you don't need esc_html(). – butlerblog Commented Feb 6, 2019 at 13:02
• The question I flagged as a duplicate was not one of the ones in the original question, which is why I flagged it. – Jacob Peattie Commented Feb 6, 2019 at 14:01

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 8

While this is probably a duplicate of What’s the difference between esc_html, esc_attr, esc_html_e, and so on? I'm going to go ahead and provide an answer anyway, since as @cag8f indicated, there's not an accepted answer on that question (but I'll add that I think Tom's answer there tells you what you need to know).

You need to escape output when there's a possibility that the output might be changed somewhere or may have some "untrusted" value.

In the case of your example (repeated below),

<?php $title = "Contact"; ?>
<h1> <?php echo $title; ?> </h1>

you do not need to escape this. "Contact" is already set and is a safe value and is not changed. In fact, as written, you are wasting space (and readability) and it really should be just hard HTML.

Now, if you do something to $title, that changes things. You would need to escape the output in that case because you don't know what the value might be.

For example:

<?php $value = get_user_meta( $user_id, 'some_meta', true ); ?>
<p>My Value: <?php echo esc_html( $value ); ?></p>

This needs to be escaped because you don't actually know what the value is, and thus you don't know if it is safe to output. That's where it needs to be escaped.

It is important to also know the following:

1. Learn which escape functions do which tasks. Using one that isn't appropriate for the data could result in not fully escaping the value, or breaking it in some other way. There are escape functions for different data types, so use the correct one.
2. Know if the data needs to be escaped. If you're using a WP function that already escapes the data, then you're double escaping it and that can result in bad output. If you're not sure, look up the function and review the source.