How To Use Escape and require / include in WordPress Theme

After get experiment to upload free theme in here some notes which i think need attention in wordpress theme code. You need to know escape and requre_once replacement. Here is the notes :


Any numeric variable used anywhere

echo int( $int );

Depending on whether it is an integer or a float, (int), absint(), (float) are all correct and acceptable. At times, number_format() or number_format_i18n() might be more appropriate.

Variable within HTML attribute ( esc_attr )

echo '<div id="', esc_attr( $prefix . '-box' . $id ), '">';

Variable URL within HTML attribute

echo '<a href="', esc_url( $url ), '">';

Passing variable to javascript via wp_localize_script()

// No escaping needed in wp_localize_script, WP will escape this.
wp_localize_script( 'your-js-handle', 'variable_name',
		'prefix_nonce' => wp_create_nonce( 'plugin-name' ),
		'ajaxurl'      => admin_url( 'admin-ajax.php' ),
		'errorMsg'     => __( 'An error occurred', 'plugin-name' ),

Variable within javascript block

<script type="text/javascript">
    var myVar = <?php echo esc_js( $my_var ); ?>

Variable within inline javascript

<a href="#" onclick="do_something(<?php echo esc_js( $var ); ?>); return false;">
<a href="#" data-json="<?php echo esc_js ( $var ); ?>">

$var should be escaped with esc_js(), json_encode() or wp_json_encode().

Variable within HTML textarea

echo '<textarea>', esc_textarea( $data ), '</textarea>';

Variable within HTML tags

echo '<div>', wp_kses_post( $phrase ) , '</div>';

This depends on whether $phrase is expected to contain HTML or not.

  • If not, use esc_html() or any of its variants.
  • If HTML is expected, use wp_kses_post(), wp_kses_allowed_html() or wp_kses() with a set of HTML tags you want to allow.

Variable string within XML or XSL context

echo '<loc>', ent2ncr( $var ), '</loc>';


require in theme folder
for example you have something like this :

require get_template_directory() . '/inc/my-functions.php';

you can change it to :


require outsite theme folder

for example you have something like this :

require ABSPATH . WPINC . '/class-wp-editor.php';

you can change it to :

load_template( ABSPATH . WPINC . '/class-wp-editor.php' );

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.