From 8c683784464aba323f7e5d380ab39cb6cfa834ea Mon Sep 17 00:00:00 2001
From: Maxime CULEA <maxime.culea@yahoo.fr>
Date: Sun, 12 Jun 2016 21:38:06 +0200
Subject: [PATCH 1/2] Update escaping-output.md

Add esc_attr example and talk about spadial case which is textarea escaping.
---
 security/escaping-output.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/security/escaping-output.md b/security/escaping-output.md
index ff36d2b..058ac03 100644
--- a/security/escaping-output.md
+++ b/security/escaping-output.md
@@ -29,7 +29,9 @@ WordPress thankfully has a few helper functions we can use for most of what we
 
 `esc_attr()` can be used on everything else that's printed into an HTML element's attribute.
 
-@todo example for esc_attr()
+```
+<a href="#" class"<?php echo esc_attr( implode( ', ', $custom_classes ) ); ?>">Click me</a>
+```
 
 It's important to note that most WordPress functions properly prepare the data for output, and you don't need to escape again.
 
@@ -39,6 +41,14 @@ It's important to note that most WordPress functions properly prepare the data f
 
 @todo include note of wp_post_kses()
 
+Spacial case when working on textarea. Applying wp_kses will delete <br /> html tag and newlines will not be preserved. It is althought possible, if using this trick :
+
+```
+<div class="excerpt">
+  echo trim( str_replace( '%newline%', '<br />', wp_kses( str_replace( '<br />', '%newline%', $string ), '' ) ) );
+</div>
+```
+
 ### Conclusion
 
 Whenever you're rendering data from the database, you'll want to make sure it's properly escaped. Escaping helps prevent issues like cross-site scripting.

From 486ae6bd50c941ac5dddc95759d6838e76fc2ad0 Mon Sep 17 00:00:00 2001
From: Maxime CULEA <maxime.culea@yahoo.fr>
Date: Sun, 12 Jun 2016 21:40:09 +0200
Subject: [PATCH 2/2] Update escaping-output.md

---
 security/escaping-output.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/escaping-output.md b/security/escaping-output.md
index 058ac03..16679a8 100644
--- a/security/escaping-output.md
+++ b/security/escaping-output.md
@@ -30,7 +30,7 @@ WordPress thankfully has a few helper functions we can use for most of what we
 `esc_attr()` can be used on everything else that's printed into an HTML element's attribute.
 
 ```
-<a href="#" class"<?php echo esc_attr( implode( ', ', $custom_classes ) ); ?>">Click me</a>
+<a href="#" class="<?php echo esc_attr( implode( ', ', $custom_classes ) ); ?>">Click me</a>
 ```
 
 It's important to note that most WordPress functions properly prepare the data for output, and you don't need to escape again.
@@ -41,7 +41,7 @@ It's important to note that most WordPress functions properly prepare the data f
 
 @todo include note of wp_post_kses()
 
-Spacial case when working on textarea. Applying wp_kses will delete <br /> html tag and newlines will not be preserved. It is althought possible, if using this trick :
+Special case when working on *textarea*. While applying wp_kses will delete <br /> html tag and newlines will not be preserved, there is a trick to do it.
 
 ```
 <div class="excerpt">