Codex tools: Log in
Encodes the <, >, &, " and ' (less than, greater than, ampersand, double quote and single quote) characters. Will never double encode entities.
Always use when escaping HTML attributes (especially form values) such as alt, value, title, etc. To escape and echo the value of a translation use esc_attr_e() instead.
<?php $fname = esc_attr( $fname ); ?>
<?php echo '<input type="text" name="fname" value="' . esc_attr( $_POST['fname'] ) . '">'; ?>
esc_attr() is located in
See: Data Validation article for an in-depth discussion of input and output sanitization.