Function and usage of esc_js() in wordpress


Answers ( 1 )


    The esc_js() function in WordPress is a security utility designed to sanitize text strings that will be echoed in JavaScript. This function is particularly important for preventing cross-site scripting (XSS) attacks by ensuring that the text strings do not inadvertently break the JavaScript code or execute malicious scripts. Here's a detailed explanation of the function and its usage:

    Function Syntax

    esc_js( string $text ): string

    Function Description

    • Purpose: Escapes text strings specifically for safe output in JavaScript contexts.
    • Functionality: It escapes special characters like single quotes ('), double quotes ("), backslashes (\), and HTML entities like &. Additionally, it transforms line endings to the appropriate format for JavaScript strings.
    • Context of Use: Primarily used for inline JavaScript, such as within HTML tag attributes (e.g., onclick, onmouseover). It’s important to note that the strings should be enclosed in single quotes in the JavaScript context for esc_js() to work effectively.


    • $text (string, required): The text string that you want to escape. This parameter takes the raw text that you intend to output in a JavaScript context.

    Return Value

    • Type: string
    • Description: The function returns the escaped version of the input text, making it safe for inclusion in JavaScript code.

    Usage Example

    Here’s a sample usage of esc_js() in a WordPress template or plugin:

    $original_text = "This is a 'test' string with \"special\" characters & line breaks.\nNew line here.";
    $escaped_text = esc_js($original_text);
    <script type="text/javascript">
        alert('<?php echo $escaped_text; ?>');

    In this example, $original_text contains a string with various characters that need escaping for JavaScript. The esc_js() function is used to escape this string, and the result ($escaped_text) is then safely echoed inside a JavaScript alert function. The output in the JavaScript will be a properly escaped string that will not break the JavaScript code or cause security issues.

    Important Notes

    • Filter Application: The esc_js() function applies the js_escape filter, allowing for further customization or modification of the escaping behavior.
    • Security Best Practices: Always use esc_js() when echoing data into JavaScript to prevent XSS vulnerabilities.
    • Limitations: This function is designed for inline JavaScript. For larger scripts or JSON data, other methods of escaping and encoding should be considered.

Leave an answer