What is validating, escaping and sanitizing in WordPress?

Security is the crucial element of any WordPress theme or plugin. You should always consider implementing safety in the most primitive stage of the theme/plugin development which is while writing codes. Writing sheer codes is not enough, a little bit of scrutiny on them is vital because the data arriving into WordPress cannot be trusted at all. Moreover, you should also transform input data further down the line when the data is presented to the end users so as to avoid conflicts. This is known as validating, escaping, sanitizing in WordPress. Today, in this article we will discuss how and why you should handle the same process in WordPress.

Validating, escaping and sanitizing serve as the trinity of precise discretion for data maneuver in WordPress. Validating refers to checking user input, escaping is cleaning them and the later applies to rendering data in a secured manner to the end users. There are few rules you should stick by, which in turn will act as the guiding light for the data handling process.

Never trust user input

You should never assume that input entered by users are safe because sometimes they submit unanticipated information. Some examples of input data include form data, client information like cookies, referer and anything that is submitted from the HTTPS requests. Hence, you should build a robust theme/plugin to confront the unexpected inputs gracefully.

Always escape everything from untrusted sources or third parties.

Untrusted data come from the third party sources and sometimes, to your dismay,  they might be even from your own database. You should validate and escape incoming and outgoing data in the right scenario not irrelevantly. To elaborate, if some data is collected by HTTP POST or GET parameter and if you apply escaping HTML then there’s a huge violation of the formatting rule because you’re mixing up output formatting with the input handling.

Escape as late as possible

“The late the better” rule should be applied when it comes to escaping data. Doing so is a good escaping practice and has many benefits.

It will make the code reviewing process faster as the reviewer won’t have to stroll through lines of codes.

The variable might change unexpectedly during the time lag of when it was first created and it’s output.

It will aid in the clarity of codes.

Trust WordPress

Data directly coming from WordPress can be trusted. Some WordPress functions like the_title(), the_permalink, the_content() need not be sanitized as they are properly sanitized by the WordPress internals.

Now, after the insight into these rules, let’s see how can you actually implement them on codes. Let’s start with validating the input or checking the input.

Validating the input

To examine the user input if it matches what we expected the input should be like we perform the validation process. For example, if the user is to submit an email address but he adds a phone number then the input must not be accepted at all.

Say, we have an input area in our form where a user is to enter an email address.

validating, escaping, sanitizing

We perform the email validation like in the code below.


Likewise, there are several other useful WordPress functions to check input data for data validation.

Sanitizing, cleaning the user input

Now the next thing to do is clean the user input. In this case, we already validated user input of email and now we are going to sanitize it. Let’s assume the user has entered  ‘    jondoe@gmail.com!!    ‘, we will sanitize the user input like in the code below.

sanitize data

The output would be ‘jondoe@gmail.com’ after the sanitization. The sanitization function removes illegitimate UTF-8 codes, converts single  < characters to the entity, strips all tags and removes extra white spaces, line breaks, and tabs.

Escaping or safeguarding the output

Escaping refers to the securing of data you already have just before presenting it to the end users. WordPress has several useful escaping functions which will serve to render user output. Below are some examples of escaping functions.


You should escape output using “esc_html” when an HTML element encloses it.

<h4> <?php echo esc_html( $output_variable ); ?></h4>


It should be used on all URLs, including those in the ‘src’ and ‘href’ attributes of an HTML element.

<img alt=”” src=”php echo esc_url( $image ); ?>” />


It  is intended for inline Javascript.

 var value = ‘<?php echo esc_js( $value ); ?>’;


It can be used on everything else that’s printed into an HTML element’s attribute.

<ul class=”php echo esc_attr( $ul_class ); ?>”>


When you desire to output HTML content, you can output them using wp_kses(). Furthermore, there’s wp_kses_post() which outputs normally what a post output is expected to be like.
Now as we had mentioned about the late escaping rule above, let’s look into how we can implement it. Say, we are going to output an URL then in the following code,

escape data as late as possible

Finally, we would like to thank you for taking time reading this article. Moreover, we always do suggest you implement the data handling process while developing a WordPress project. It’s something that could secure your theme/plugin in its earliest stage and you would also be following the WordPress standard very well.