WordPress makes it easy to escape untrusted input to prevent SQL-injection, XSS (cross-site scripting), and other nefarious bits of text. Here is a quick rundown of WordPress’ built-in escape functions.
WordPress provides the following template tags to encode any/all instances of these characters:
' (left angled-bracket, right angled-bracket, ampersand, double quote, single quote). As a bonus, these tags will never double-encode entities. Here is the list: