WordPress esc_attr Example: Escape HTML Attributes Safely

Last reviewed: May 8, 2026

Attribute escaping is one of those details that looks boring until it fails. A value can be fully sanitized for storage and still break HTML output when it lands inside value, data-*, title, or aria-* attributes. esc_attr() exists for that final output step.

This guide shows where esc_attr() belongs in WordPress theme and plugin code and why it should be treated as output escaping, not input sanitization.

Escape dynamic values at the point they enter an HTML attribute

<?php
$status = get_option( 'vulnwp_status_label', 'Ready for review' );

echo '<input type="text" name="vulnwp_status_label" value="' . esc_attr( $status ) . '" />';

The option value may already be normalized for storage, but the final HTML attribute still needs context-appropriate escaping when it is rendered.

Do not replace sanitization with escaping

esc_attr() does not define what values are acceptable for the application. It only makes a value safer for a specific output context. Validation and sanitization should already have happened earlier, based on what the field is supposed to contain.

Remember that attributes are not the same as visible text

Text that appears between tags often belongs on an esc_html() path instead. The safest code is usually the one that maps each output context to the correct escaping helper instead of reaching for one function everywhere.

Common mistakes

• Using raw variables inside attributes. This is the bug esc_attr() is meant to prevent.
• Using attribute escaping as the only safety step. Business validation still matters.
• Mixing attribute and URL contexts. URLs usually belong on an esc_url() path.
• Escaping too early and then mutating the value later. Output escaping belongs near rendering.

Production checklist

• Use esc_attr() for dynamic HTML attribute values.
• Keep input sanitization separate from output escaping.
• Use esc_url() for URLs and esc_html() for visible text.
• Escape as late as possible, near the actual render point.
• Review custom admin forms for unescaped attribute output.

Related reading

Pair this with the esc_url guide when the attribute contains a link, and with the sanitize_textarea_field article when the value starts as multiline form input.

References and further reading

• WordPress Code Reference: esc_attr()
• WordPress Code Reference: esc_attr__()
• WordPress Common APIs Handbook: Escaping Data