Title: do_shortcode escaping Last modified: November 15, 2025 --- # do_shortcode escaping * [ie1963](https://wordpress.org/support/users/ie1963/) * (@ie1963) * [6 months, 3 weeks ago](https://wordpress.org/support/topic/do_shortcode-escaping/) * Please tell me how to escape the widget shortcode. * There is a function: * if (!function_exists(‘foo_do_shortcode’)) { function foo_do_shortcode($name, $attrs = array()) { $special_chars = array(‘[‘, ‘]’, ‘”‘, “‘”); $sc_params = ”; foreach ($attrs as $k => $v) { $v = str_replace($special_chars, ”, $v); if (! is_array($v) || !is_object($v)) { $sc_params .= sprintf( ‘ %s=”%s”‘, sanitize_key( $k), esc_attr($v) ); } } $short_code = “[{$name}{$sc_params}]”; return do_shortcode( $short_code); } } * We’re calling it in another file. * echo foo_do_shortcode( ‘foo_search’, array( ‘layout’ => $layout, ‘column’ => 1, ‘color_scheme’ => “color-dark”, ‘status_enable’ => $status_enable == 1 ? ‘ true’ : ‘false’, ‘type_enable’ => $type_enable == 1 ? ‘true’ : ‘false’, ‘title_enable’ => $title_enable == 1 ? ‘true’ : ‘false’, ‘address_enable’ => $address_enable == 1 ? ‘true’ : ‘false’, ‘country_enable’ => $country_enable == 1 ? ‘true’ : ‘ false’, ) ) ; * Error checking: All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found ‘foo_do_shortcode’ I tried wp_kses_post, esc_html …. and more. The widget breaks. Viewing 6 replies - 1 through 6 (of 6 total) * Moderator [threadi](https://wordpress.org/support/users/threadi/) * (@threadi) * [6 months, 3 weeks ago](https://wordpress.org/support/topic/do_shortcode-escaping/#post-18720330) * wp_kses_post() would be the right function for this. It should look something like this: * ```wp-block-code echo wp_kses_post( foo_do_shortcode() ); ``` * That should fix the warning. You just need to make sure that no other components are affecting the HTML code that is filtered by KSES. See also: [https://wp-mix.com/wordpress-basic-allowed-html-wp_kses/](https://wp-mix.com/wordpress-basic-allowed-html-wp_kses/) * Tip: you can use the code block here in the forum: [https://wordpress.org/support/forum-user-guide/block-editor/#code-block](https://wordpress.org/support/forum-user-guide/block-editor/#code-block) * Thread Starter [ie1963](https://wordpress.org/support/users/ie1963/) * (@ie1963) * [6 months, 3 weeks ago](https://wordpress.org/support/topic/do_shortcode-escaping/#post-18720431) * Thanks. I’ll use the code block. Regarding wp_kses_post, I used it initially, but the entire widget markup breaks. I’ve tried everything, but nothing works. * Maybe I can get rid of “echo”? * Moderator [threadi](https://wordpress.org/support/users/threadi/) * (@threadi) * [6 months, 3 weeks ago](https://wordpress.org/support/topic/do_shortcode-escaping/#post-18720480) * No, `do_shortcode` returns a string that must be output using `echo`. See: [https://developer.wordpress.org/reference/functions/do_shortcode/](https://developer.wordpress.org/reference/functions/do_shortcode/) * What exactly is incorrect about the output? Are HTML elements or individual attributes missing? Have you tried deactivating all other plugins, as they could be affecting KSES? * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [6 months, 3 weeks ago](https://wordpress.org/support/topic/do_shortcode-escaping/#post-18720596) * wp_kses_post() is fairly strict with what HTML it allows. It has likely stripped out something essential for your specific situation. Find out what that is and confirm that it’s valid and secure HTML. You can then modify what wp_kses() allows via the ‘wp_kses_allowed_html’ filter hook. * Thread Starter [ie1963](https://wordpress.org/support/users/ie1963/) * (@ie1963) * [6 months, 3 weeks ago](https://wordpress.org/support/topic/do_shortcode-escaping/#post-18722126) * I’m currently working on a local server and only have this plugin installed, no others. I’m using wp_kses_post.Half the widget (input fields and html) is missing. I’ll have to learn and use wp_kses_allowed_html.I’m just starting to learn WordPress. * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [6 months, 3 weeks ago](https://wordpress.org/support/topic/do_shortcode-escaping/#post-18724057) * wp_kses_post() is essentially a wrapper function for wp_keses(). You’ll see so if you look at [its source code](https://developer.wordpress.org/reference/functions/wp_kses_post/#source). If you were to use wp_kses() directly instead, it’s possible to override the default allowed HTML and specify your own. However, I find such an approach too cumbersome, I prefer to modify the default via the ‘wp_kses_allowed_html’ filter hook. * IME it’s unusual for wp_kses() to strip out entire fields. For me, I typically find certain attributes being removed, not the entire tag. IOW, I think something else might be going on beyond allowed HTML. I can imagine that if HTML syntax was somehow flawed, that more content might be stripped out than is normally warranted. It’s probably worth running the unescaped HTML through [a syntax linter](https://validator.w3.org/#validate_by_input). * In case you have yet to become familiar with filter or action hooks in general, [this reference](https://developer.wordpress.org/plugins/hooks/) should prove useful. I suggest you dump out the return of wp_allowed_protocols() so you can learn how the data array is structured and how it can be modified to suit your needs. You’ll want to wrap the output in `
` tags, otherwise the formatting
   structure gets lost.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘do_shortcode escaping’ is closed to new replies.

## Tags

 * [escaping](https://wordpress.org/support/topic-tag/escaping/)
 * [shortcode](https://wordpress.org/support/topic-tag/shortcode/)

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 6 replies
 * 5 participants
 * Last reply from: [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * Last activity: [6 months, 3 weeks ago](https://wordpress.org/support/topic/do_shortcode-escaping/#post-18724057)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics