esc_attr( string $text ): string

Escaping for HTML attributes.

Parameters

$textstringrequired

Return

string

More Information

Encodes the <, >, &, ” and ‘ (less than, greater than, ampersand, double quote and single quote) characters. Will never double encode entities.

Always use when escaping HTML attributes (especially form values) such as alt, value, title, etc. To escape the value of a translation use esc_attr__() instead; to escape, translate and echo, use esc_attr_e().

Source

function esc_attr( $text ) {
	$safe_text = wp_check_invalid_utf8( $text );
	$safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
	/**
	 * Filters a string cleaned and escaped for output in an HTML attribute.
	 *
	 * Text passed to esc_attr() is stripped of invalid or special characters
	 * before output.
	 *
	 * @since 2.0.6
	 *
	 * @param string $safe_text The text after it has been escaped.
	 * @param string $text      The text prior to being escaped.
	 */
	return apply_filters( 'attribute_escape', $safe_text, $text );
}

Hooks

apply_filters( ‘attribute_escape’, string $safe_text, string $text )

Filters a string cleaned and escaped for output in an HTML attribute.

Changelog

VersionDescription
2.8.0Introduced.

User Contributed Notes

  1. Skip to note 6 content

    When escaping the values of attributes that accept URIs (like href and src), it is important to pass the value through esc_url(). If you only use esc_attr(), the code may still be vulnerable to XSS. (Note also, that when using esc_url(), you don’t need to also use esc_attr().)

    <!-- This is correct: -->
    <img src="<?php echo esc_url( $src ); ?>" />
    
    <!-- This is OK, but the esc_attr() is unnecessary: -->
    <img src="<?php echo esc_attr( esc_url( $src ) ); ?>" />
     
    <!-- This is *not* correct: -->
    <img src="<?php echo esc_attr( $src ); ?>" />

    More info:

  2. Skip to note 8 content

    I’m not sure if esc_attr() is what you should use if you’re echoing out the value for a form input that is allowed to contain HTML entities because they get lost. ie, you may start with a string containing HTML entities (eg &), and find them disappearing (turning into &).

    It’s easiest to explain with an example:

    1. You have a value in the database that is Want to do a "br" tag? Do this: &lt;br&gt;';

    2. You output that value in a page inside a form input’s value with code like this

    <input type="text" value="<?php echo esc_attr($value);?>">

    That will produce HTML like

    <input value="Want to do a &quot;br&quot; tag? Do this: &lt;br&gt;">

    3. When that is displayed by the browser, it will DECODE the HTML entities, showing the user Want to do a "br" tag? Do this: <br>.
    4. When that form is submitted back to the server, the browser will send the value the USER SAW, namely Want to do a "br" tag? Do this: <br>.
    5. If your database code saves the user's input as it was received, it will save it as
    Want to do a "br" tag? Do this: <br>

    Notice we lost the HTML entities? We started with Want to do a "br" tag? Do this: &lt;br&gt;'; but ended up with Want to do a "br" tag? Do this: <br>. OUPS.

    In order to fix that, esc_attr() should have DOUBLE-encoded the HTML entities; ie produced HTML like this:

    <input value="Want to do a &quot;br&quot; tag? Do this: &amp;lt;br&amp;gt;">

    Notice the <br> tag has been double-encoded. That will mean the value Want to do a "br" tag? Do this: &lt;br&gt; will be displayed to the user, and thus get submitted, and saved down the road.

    So what function should you use for inputs that are allowed to have HTML entities? esc_textarea().

    Here's a code snippet showing the difference:

    <?php
    $string_with_html_entities = 'Want to do a "br" tag? Do this: &lt;br&gt;';
    ?>
    esc_attr: <input value="<?php echo esc_attr($string_with_html_entities);?>">
    esc_textarea: <input value="<?php echo esc_textarea($string_with_html_entities);?>">

    Which produces the following HTML

    esc_attr: <input value="Want to do a &quot;br&quot; tag? Do this: &lt;br&gt;">
    esc_textarea: <input value="Want to do a &quot;br&quot; tag? Do this: &amp;lt;br&amp;gt;">

    Try it and you'll see the second is actually what you want, if you want to allow HTML entities in the value.

  3. Skip to note 9 content

    It is important to always use quotes around your attribute’s value when it is being escaped with esc_attr(). Otherwise, your code will still be vulnerable to XSS.

    <!-- This is correct: -->
    <input type="text" name="fname" value="<?php echo esc_attr( $fname ); ?>">
    
    <!-- This is *not* correct: -->
    <input type=text name=fname value=<?php echo esc_attr( $fname ); ?>>

You must log in before being able to contribute a note or feedback.