Use case of wp_kses(), wp_kses_post(), __(), _e(), esc_html(), esc_attr() in WordPress

In WordPress development, sanitization and escaping functions are used to ensure data is secure, prevent Cross-Site Scripting (XSS) attacks, and maintain data integrity. Below are the use cases for the specified functions:

1. wp_kses()

• Use Case: Sanitize input by allowing only specific HTML elements and attributes.
• When to Use:
  • When processing user-generated content that needs to retain some HTML tags (like bold or links).
  • For example, sanitizing post content or a custom textarea field in a plugin.
• Why: To prevent XSS attacks while allowing specific HTML for formatting.

Example:

$allowed_tags = [
    'a' => ['href' => [], 'title' => []],
    'b' => [],
    'em' => [],
];
$safe_content = wp_kses($user_input, $allowed_tags);

2. wp_kses_post()

• Use Case: Similar to wp_kses(), but specifically allows the same HTML tags and attributes as WordPress core does for post content.
• When to Use:
  • When sanitizing post content or other user-submitted content that should adhere to WordPress’s default post sanitization rules.
• Why: Simplifies sanitization for content expected to follow post content rules.

Example:

$safe_post_content = wp_kses_post($user_input);

3. __()

• Use Case: Retrieve a translatable string.
• When to Use:
  • When you need to display a string that can be translated using a .po file or translation plugin.
• Why: Ensures internationalization (i18n) support for multilingual sites.

Example:

$translated_text = __('Hello, World!', 'text-domain');
echo $translated_text;

4. _e()

• Use Case: Display a translatable string directly (output version of __()).
• When to Use:
  • When you want to echo a translatable string directly to the page.
• Why: Saves the extra step of calling echo with __().

Example:

_e('Welcome to our website!', 'text-domain');

5. esc_html()

• Use Case: Escape HTML content to display it safely as plain text.
• When to Use:
  • When outputting user data or dynamic content into an HTML context where raw HTML should not render.
• Why: Prevents XSS by escaping special HTML characters (<, >, &).

Example:

echo esc_html($user_input);

6. esc_attr()

• Use Case: Escape data for safe output inside an HTML attribute.
• When to Use:
  • When placing dynamic content inside an HTML attribute, such as value, class, or id.
• Why: Prevents XSS by escaping special characters that could break the HTML attribute.

Example:

echo '<input type="text" value="' . esc_attr($user_input) . '">';

Summary of When to Use Each

Function	Use For	Why Use It
wp_kses()	Allow specific HTML tags/attributes	Prevent XSS while allowing partial HTML
wp_kses_post()	Sanitize post content	Use default WordPress rules for allowed HTML
__()	Retrieve translatable string	Enable translation and i18n
_e()	Output translatable string	Echo translation directly
esc_html()	Escape for plain text output	Prevent HTML rendering, secure output
esc_attr()	Escape for HTML attributes	Prevent attribute injection, secure attributes

By understanding these functions, you can ensure that your WordPress code is secure, robust, and ready for internationalization.