Is Escaping Data In WordPress An Issue??

Escaping Data In WordPress: Are you constantly trying to make your code or WordPress theme secure to use across multiple sites?

Do you find difficulty in handling the incoming and outgoing data when making WordPress themes?

Managing and censoring data is a challenging task, especially when your WordPress theme will be used on different sites. You have to be cautious and aware of both the incoming and the outgoing data. To do so you probably need to do the following 3 processes:

  • Escaping Data
  • Sanitizing Data
  • Validating Data


The process of securing your output data is called Escaping the data. Escaping is generally done before you present your data to the end-user. It ensures that the data is presented as per the expectations of the user. 

When you Escape your output data, you take out all the unwanted data, like script tags and malformed HTML. Technically it is done by converting the HTML characters into HTML entities. This way they are displayed to the user in the way they want to see that data and are not executed as a command. 

You Escape your data to secure it from being viewed as code and attacked by XSS attacks. These attacks inject client-side scripts into your pages and let the attacker bypass certain controls. 

For example, Facebook secures its chat by Escaping the data so that users don’t go around running their code on each other’s computers.   

WordPress gives you a few options for Escaping data. Like esc_html(), to escape specific HTML characters. You can also escape all URLs, even the ‘src” and “href” attributes of an HTML element by using the function esc_url().

To escape inline Javascript, you can use esc_js()

Well, this was about securing your output data that you put or share on your website. But how do you secure the data that is being inputted into your website? 


WordPress helps you to easily filter your incoming data. This process is also known as sanitization. Usually, you sanitize your data when you are unsure about the type of data you would receive. And mostly because you don’t want to be rigid about filtering the data input. 

WordPress offers inbuilt sanitization functions that let you run your website safely without having to worry about encountering unexpected or harmful data. 

The sanitize code series sanitize_*() makes it pretty easy for you to make your data input safe. 

Another example is the sanitize_email(). You can use this to take out all the characters that are not allowed in an email address.

This is probably the easiest way to sanitize data; however, you can also manually filter your incoming data with certain codes. 

The sanitize code technically:

  • checks for invalid UTF-8
  • converts single less than characters (<) to the entity
  • strips octets
  • strips all tags
  • removes line breaks, tabs, and extra white space
  • removes text characters and code that isn’t allowed

You should probably perform escaping on any unknown variable on an output. Variables should be escaped on output and sanitized on input.


Validating your data is another task. To validate you have to check the user input and see if the user has entered a valid value. You also check that the data the user has entered matches the data you’ve requested. 

If you find that the value entered is incorrect or invalid then the user is asked to enter the value correctly again because the invalid value is not processed or stored. 

A common example of validating is when you are asked to enter your password twice on a site. The passwords are validated and matched to see if they are the same. 

Let’s say that you need someone to enter their zip code, so you run this code 

<input type=” text” id=”my-zipcode” name=”my-zipcode”maxlenght=”5” />

This code limits the user to up to 5 characters to enter in their data, but it sets no limitation of the character types. The user can enter whatever character other than numbers and the browser will not discard that data. This indirectly gives the user more access than you want them to have. So when you validate this code to check for proper character type then the browser will automatically discard it. 

So, next time when you are running a theme or code on WordPress remember to escape, sanitize and validate to have a secure flow of data.

Previous Post

Leave a Reply