Remove esc_html from plugins PHP

Removing esc_html() is not only not future proof, it is likely introducing a security vulnerability for your visitors. Unescaped data can cause serious difficulties for users unless the original data source is completely reliable. If you are certain the data source is always safe and reliable, you best option is to create your own custom output that utilizes the meta data without escaping.

Another thing you can try is contacting the plugin’s authors to find out if there’s a sustainable way to get unescaped HTML output. jQuery or Javascript is also a possibility, but it tends to make for a poor user experience. Because such script does not run until the page’s DOM has fully loaded, there is a discernible delay between the initial PHP output and when the desired content appears. Users can either miss the correct content or fear something is amiss when content “magically” changes with no action on their part.

How about wp_kses?

wp_kses( get_post_meta($post->ID, $key, true) );

Hmmm. That has potential, but it must be setup properly. Even then I’m not sure if it will totally get it. Only because I’m not entirely sure what it all does, it may be fine. Depending on the application, it may even be better. You also need to pass an array of allowed HTML elements to wp_kses() (e.g. “setup properly”).

If your intention is to only allow links, I think I would be more inclined to go ahead and stay with esc_html(), then go back in and replace any entities it converted that are associated with links back to the actual characters. The only tricky part would be getting the correct regexp to identify link related quote and > characters that are to be converted back.

Instead, you could use preg_split() to break out the links, and escaping only the fragments before reassembling the string. You need to use the PREG_SPLIT_DELIM_CAPTURE flag for this to work properly.