hi can someone explain to me when to use esc() and html().
Is it worth adding esc() always to texts entered in HTML tags using kirby?
I depends on your threat model. If you cannot fully trust the value (for example because it comes from user input or because there might be attackers under the authenticated Panel users), we definitely recommend to use esc().
You can read more in the guide:
Ok thanks