WordPress core provides developers with a handful of functions to escape string content and enable translations into other languages.
Translatable Strings
Access the translated version of text used in plugins or themes with one of the following functions.
<?php
echo __( 'Hello', 'text-domain' );
_e( 'Hello', 'text-domain' );
echo _x( 'Hello', 'The welcome message', 'text-domain' );The first, __(), returns the text.
The “e” in _e() stands for echo. This function outputs the text.
The “x” in _x() stands for context and accepts an argument to explain to translators the context of the text.
Escape for HTML
Escapes strings so they are not parsed as HTML. Characters like < are converted to <.
<?php
echo esc_html( 'Hello' );
echo esc_html__( 'Hello', 'text-domain' );
esc_html_e( 'Hello', 'text-domain' );
echo esc_html_x( 'Hello', 'The welcome message', 'text-domain' );Example
<p><?php esc_html_e( 'Hi there! >:)', 'my-plugin' ); ?></p>The above code will render the following HTML:
<p>Hi there! >:)</p>Escape for HTML attributes
Escape strings used in HTML attributes like class="" so they do not break the HTML.
<?php
echo esc_attr( 'Value' );
echo esc_attr__( 'Value', 'text-domain' );
esc_attr_e( 'Value', 'text-domain' ); // Outputs the value.
echo esc_attr_x( 'Value', 'The control value', 'text-domain' );Example
<p><input type="text" value="<?php esc_attr_e( 'Something seems "off"', 'my-plugin' ); ?>" /></p>The above code will render the following HTML:
<p><input type="text" value="Something seems "off"" /></p>Escape a URL
Escape strings inside href="" or src="" attributes.
<?php
echo esc_url( 'https://coreysalzano.com/' );Escape for textareas
Prevents the text content of a <textarea> from closing the element early.
<?php
echo esc_textarea( 'WordPress core provides developers with a handful of functions to escape string content and enable translations into other languages.' );