Wordpress - Should HTML output be passed through esc_html() AND wp_kses()?
The general rule, at least as espoused by Mark Jaquith, is sanitize on input, escape on output (the corollary to this rule being sanitize early, escape late).
So: use sanitization filters (such as the kses()
family) when storing untrusted data in the database, and use escaping filters (i.e. the esc_*()
family) when outputting untrusted data in the template.
The kses functions should be used when you want to allow some subset of html to be in the result. For example, comments allow some HTML in them for bold, italic, links, and such.
The esc_html function should be used to escape html completely. No HTML will go through it without being converted to something that will be interpreted as non-HTML by a browser.