So what’s the difference between these, and when should we use each one?
Is esc_attr() safe enough to escape any type of data you get from the user ?
1 Answer
esc_attr() is, for the most part, an alias for a) kses (strips evil chars to prevent xss) and b) htmlspecialchars(), for use in HTML attributes. It can be used to display sanitized user input that cannot contain HTML.
If you need only to sanitize strings before storing in the db, there are multiple variants of kses available.
Also, don’t miss the other esc_*() functions. There are quite a few.
The other two you mention are self-explanatory.