When I add wordpress escaping code like esc_attr_e to below variable, it writes text instead of html code to my browser:

   <?php echo esc_attr_e( $redux_demo['editor-text-header-left'], 'hekim' ); ?>

when I remove the escaping code, the variable gives html code.

now, it gives the below text:

<a href="#"><i class="fa fa-medkit text-thm2"></i> Help | </a><a href="#">Forum | </a><a href="#">Skype | </a><a href="#">Mon - Sat 9.00 - 19.00</a>

How can I escape it correctly?

When I add wordpress escaping code like esc_attr_e to below variable, it writes text instead of html code to my browser:

   <?php echo esc_attr_e( $redux_demo['editor-text-header-left'], 'hekim' ); ?>

when I remove the escaping code, the variable gives html code.

now, it gives the below text:

<a href="#"><i class="fa fa-medkit text-thm2"></i> Help | </a><a href="#">Forum | </a><a href="#">Skype | </a><a href="#">Mon - Sat 9.00 - 19.00</a>

How can I escape it correctly?

• escaping

• It's doing what it's supposed to, esc_attr and esc_attr_r are for use inside attributes, There is no single escaping function, rather you have to use the one appropriate for your situation. Additionally, esc_attr_e is not shorthand for echo esc_attr( it's actually a part of the translation API aka echo esc_attr( __(, you should not be passing HTML strings into the translation APIs. – Tom J Nowell ♦ Commented May 26, 2020 at 20:04
• @TomJNowell I changed it to <?php echo esc_html( $redux_demo['editor-text-header-left']); ?> but it still gives text.Can you give an example for this variable? I am new in escaping issues – Faruk rıza Commented May 26, 2020 at 20:20
• The whole point of esc_html is to print text instead of HTML. If you want to allow any HTML, then it shouldn't be escaped. – Jacob Peattie Commented May 27, 2020 at 0:05
• esc_html isn't intended to print out HTML tags, it's for printing out text that shouldn't have HTML in it. As Jacob said, if you want to allow anything then it isn't possible to escape ( allowing anything means it's unescaped by definition ). Your HTML fragment is too complex too escape, and this is not the right location to do escaping, it's too high up the chain. Escaping needs to be granular, so don't escape a menu, escape the attributes on the tags, and the labels etc, not the whole thing all at once – Tom J Nowell ♦ Commented May 27, 2020 at 8:48

1 Answer 1

There are several issues here:

1. echo esc_attr_e should be just esc_attr_e, the _e means it already echo's
2. esc_attr_e is not just an escaping function, it's a localisation API, it's shorthand for echo esc_attr( __(
3. esc_attr strips out HTML, it's intended for use inside HTML attributes where HTML tags are not allowed.
4. You must never pass variables and dynamic values into localisation functions

If you want to escape a string that contains basic HTML such as paragraphs etc, use wp_kses_post, e.g.:

echo wp_kses_post( $redux_demo['editor-text-header-left'] );