diff --git a/security/escaping-output.md b/security/escaping-output.md
index ff36d2b..16679a8 100644
--- a/security/escaping-output.md
+++ b/security/escaping-output.md
@@ -29,7 +29,9 @@ WordPress thankfully has a few helper functions we can use for most of what we
 
 `esc_attr()` can be used on everything else that's printed into an HTML element's attribute.
 
-@todo example for esc_attr()
+```
+<a href="#" class="<?php echo esc_attr( implode( ', ', $custom_classes ) ); ?>">Click me</a>
+```
 
 It's important to note that most WordPress functions properly prepare the data for output, and you don't need to escape again.
 
@@ -39,6 +41,14 @@ It's important to note that most WordPress functions properly prepare the data f
 
 @todo include note of wp_post_kses()
 
+Special case when working on *textarea*. While applying wp_kses will delete <br /> html tag and newlines will not be preserved, there is a trick to do it.
+
+```
+<div class="excerpt">
+  echo trim( str_replace( '%newline%', '<br />', wp_kses( str_replace( '<br />', '%newline%', $string ), '' ) ) );
+</div>
+```
+
 ### Conclusion
 
 Whenever you're rendering data from the database, you'll want to make sure it's properly escaped. Escaping helps prevent issues like cross-site scripting.