Title: Sanitizing output when returning
Last modified: August 7, 2022

---

# Sanitizing output when returning

 *  Resolved [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/)
 * Hi,
 * Maybe a rookie question but I’m not certain whether I should sanitinze output(
   data) when returning it, or not?
 * I know I should sanitize this output for security reasons when echoing:
 *     ```
       $value = __( 'My Text', 'my-text-domain' );
       echo esc_attr($value);
       ```
   
 * But should I do the same thing when returning?
 *     ```
       $content = '';
       $content .= '<div>';
       $content .= esc_attr( __( 'My Text', 'my-text-domain' ) );
       $content .= '</div>';
       return $content;
       ```
   
 * Or can `esc_attr()` be omitted in this example?
 * If not, can you explain why? Was not able to find a clear explanation online.
 * Guido

Viewing 8 replies - 1 through 8 (of 8 total)

 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15895634)
 * Oh my.. I meant escaping, instead of sanitizing! What was I thinking?!
 * Guido
 *  [Ben Greeley](https://wordpress.org/support/users/bengreeley/)
 * (@bengreeley)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15897746)
 * [@guido07111975](https://wordpress.org/support/users/guido07111975/) The general
   guidance is to [escape as late as possible](https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/#escaping-securing-output).
   So ideally, if you are echoing data, you’d wrap that data in an escape function.
   If PHPCS sees an `echo $var;` without being escaped, it’s going to assume it’s
   not escaped and raise and issue.
 * The deciding factor of whether your function should return escaped data is how
   your specific function is going to be used. For example, if you are creating 
   a utility function similar to Core’s [get_site_url()](https://developer.wordpress.org/reference/functions/get_site_url/),
   which returns the site URL, it likely doesn’t make sense to escape the data, 
   as it may be used for output but it may not be as well. Somebody using that function
   would be wrapping the results of that function in `esc_url()` to follow best 
   practices and ensure that it’s escaped. However, if your function is doing something
   along the lines of creating HTML for a page such as a function named `get_generated_section_html()`
   it would be best to ensure all the data you are outputting is sanitized, especially
   if the data is using $_GET or $_POST. It’ll still be up to wherever that function
   is being output to properly run through a function like `wp_kses_post()`, but
   that extra bit of escaping won’t hurt.
 * Side-note on your usage of `esc_attr()` in your example: esc_attr is useful for
   escaping a variable that is used in HTML attributes such as `<img alt="<?php 
   echo esc_attr( $alt_text ); ?> />`, however in your example it looks like `esc_html()`
   would be better to use since it would be escaping a block of HTML.
 * Hopefully that all makes sense and helps put you on the right track.
    -  This reply was modified 3 years, 9 months ago by [Ben Greeley](https://wordpress.org/support/users/bengreeley/).
    -  This reply was modified 3 years, 9 months ago by [Ben Greeley](https://wordpress.org/support/users/bengreeley/).
    -  This reply was modified 3 years, 9 months ago by [Ben Greeley](https://wordpress.org/support/users/bengreeley/).
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15898252)
 * Hi Ben,
 * Thanks for your reply. Much clearer now.
 * The only thing that was not clear to me was how to handle escaping when returning
   variable content, instead of echoing this content.
    I know I should escape when
   echoing variable content, to avoid this content being abused or hijacked. But
   when returning this variable content without escaping, can this be as harmful?
   I now understand it can? The result is the same content, I guess.
 * > however in your example it looks like esc_html() would be better to use since
   > it would be escaping a block of HTML.
 * So this is better:
 *     ```
       $content = '';
       $content .= '<div>';
       $content .= __( 'My Text', 'my-text-domain' );
       $content .= '</div>';
       return esc_html($content);
       ```
   
 * Guido
 *  [Ben Greeley](https://wordpress.org/support/users/bengreeley/)
 * (@bengreeley)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15898413)
 * [@guido07111975](https://wordpress.org/support/users/guido07111975/): You’d want
   the `esc_html()` to be wrapped around your `__( 'My Text', 'my-text-domain' )`
   function, so similar to what you had previously – the rest of it wouldn’t need
   to be escaped since it’s hard-coded HTML. Hope that all makes sense.
    -  This reply was modified 3 years, 9 months ago by [Ben Greeley](https://wordpress.org/support/users/bengreeley/).
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15898654)
 * Hi Ben,
 * About:
    `$content .= esc_attr( __( 'My Text', 'my-text-domain' ) );`
 * Why use `esc_html()` here, I’m only returning some text.
 * Guido
 *  [Ben Greeley](https://wordpress.org/support/users/bengreeley/)
 * (@bengreeley)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15898740)
 * Good question [@guido07111975](https://wordpress.org/support/users/guido07111975/).
   I actually should have pointed you to use the function `esc_html__()` [https://developer.wordpress.org/reference/functions/esc_html__/](https://developer.wordpress.org/reference/functions/esc_html__/)
   This article does a great job explaining the problem and the solutions.
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15900234)
 * Hi Ben,
 * Thanks for that, there are many escaping functions and I clearly don’t know all
   of them yet.
 * Just to be clear and to summarise:
    Also when returning variable content (such
   as translatable text and user input) you should use proper escaping. There’s 
   no difference between handling this type of content when echoing or returning.
 * Guido
 *  [Ben Greeley](https://wordpress.org/support/users/bengreeley/)
 * (@bengreeley)
 * [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15901137)
 * Yes, I think that’s the right way of thinking of it, Guido. Escape as late as
   possible with any other output, sanitize all user input and you’ll be on the 
   path to success. 🙌

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Sanitizing output when returning’ is closed to new replies.

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 8 replies
 * 2 participants
 * Last reply from: [Ben Greeley](https://wordpress.org/support/users/bengreeley/)
 * Last activity: [3 years, 9 months ago](https://wordpress.org/support/topic/sanitizing-output-when-returning/#post-15901137)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics