Sanitizing comments or escaping comment_text()

After thinking about this a little bit, I guess that the proper way to ensure that your comments are properly escaped, is by doing something like this:

$the_comment = get_comment_text();
echo '<p>' . esc_html($the_comment) . '</p>';

Instead of simply using the function like this:

comment_text();

Why even have these handy functions in the first place, if they aren’t properly escaped? The comment_author(); function IS, yet this is not for some reason?

Perhaps I am missing something?

I was missing something: the unfiltered_html capability given to the admin role, extends to comments. Read more here: https://wordpress.org/support/article/roles-and-capabilities/#unfiltered_html

Related Posts:

  1. comment_post_ID 0 (cannot remove from dashboard)
  2. What’s the difference between esc_* functions?
  3. How to escape custom css?
  4. Why do I get accidental comments without (the required) email address?
  5. How to Block Access to Standard Login Flow and Comment Flow
  6. Strategies for coping with hyperagressive spambots?
  7. How Could I sanitize the receive data from this code
  8. wp_insert_comment and security
  9. Is WordPress vulnerable to “comment posting forgery”?
  10. What is the safe way to print tracking code / pixel code before tag or tag
  11. Admin can enter JavaScript – potential security risk?
  12. Do we need to escape data that we receive from theme options?
  13. reCaptcha doesnt appear in comment (manual or plugin)
  14. WordPress scruity issue – Totally disable all comments by CSS — secure enough?
  15. How are readers authenticated for leaving comments?
  16. WordPress Commenting System User access and Security
  17. esc_url, esc_url_raw or sanitize_url?
  18. how to sanitizing $_POST with the correct way?
  19. How do I comment out a block of tags in XML?
  20. What does it mean to escape a string?
  21. R: Comment out block of code
  22. Why do I get comment spam even with Akismet and Captcha?
  23. What tools are available for managing/writing to WordPress? [closed]
  24. How to rearrange fields in comment_form()
  25. setting comments off as default for pages and custom post types?
  26. Should I escape wordpress functions like the_title, the_excerpt, the_content
  27. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  28. Is it possible to pull comments from facebook into your blog?
  29. How safe / sanitized is wp_insert_posts()?
  30. Should HTML output be passed through esc_html() AND wp_kses()?
  31. When to use esc_html and when to use sanitize_text_field?
  32. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  33. What is the difference between esc_html filter vs attribute_escape filter?
  34. Filtering the Admin Comments List to Show Only Comments from the Current User?
  35. Non-threaded comment replies with link to original comment
  36. Escaping and sanitizing SVGs in metabox textarea
  37. Sanitize and data validation with apply_filters() function
  38. Approve comment hook?
  39. Commenting in user profile page?
  40. How to change “You must be logged in to post a comment.”
  41. Disable comments on all posts/pages
  42. How do I delete all comments from a specific old blog post?
  43. Which WP functions do you need to use esc_html() or esc_url() on?
  44. Removing the “Website” Field from Comments and Replies?
  45. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  46. Stop WordPress redirecting comment-page-1 to the post page?
  47. What to use instead of wp_kses() in user output
  48. Importing old Disqus comments into WordPress
  49. How to add a class to the comment submit button?
  50. How to wrap submit button of comment form with div
  51. is_email() VS sanitize_email()
  52. Sanitizing integer input for update_post_meta
  53. How to enable comments for pending and draft posts?
  54. Using WordPress’ WYSIWYG for comments
  55. Enable Submit Comment Without Page Reload (Using Ajax)?
  56. What for is the table “wp_commentmeta” exactly?
  57. Which KSES should be used and when?
  58. Getting Post Comments for post ID using WP_Query() and a Custom Loop?
  59. Add option to disable comments on a per posts basis?
  60. Resetting comment count
  61. When importing – failed to import: Invalid post type feedback
  62. How to change the email notification recipient (user) for new comments?
  63. Redirect user to a custom url after submitting the comment
  64. Paginate result set from $wpdb->get_results()
  65. Is sanitize_text_field() is enough to save to DB?
  66. Change Comment Author Display Name
  67. What is the difference between esc_html and wp_filter_nohtml_kses?
  68. Would switching to InnoDB from MyISAM improve performance of comments table?
  69. Custom comment type based on thread level
  70. How to add internal, revision comments to page updates
  71. How to load and show comments with AJAX instead of pagination?
  72. Linking to Page Showing Only Comments Without Parent Post
  73. Comment Reply javascript
  74. How do we remove the H3 tag for the reply-title I.D
  75. Comments not appearing at all
  76. comments reply script not working
  77. How to display comment form error messages in the same page
  78. 3 moderators to approve comment
  79. How to deal with small scale comment spam on small commercial sites? [closed]
  80. Escaping WP_Query tax_query when term has special character(s)
  81. What should I do to make generated avatars different for anonymous comments?
  82. A plugin where users can comment with Facebook or Twitter or OpenID [closed]
  83. Check If comment author is registered
  84. Comments screen in backend, how to disable email address of commenter for non admins
  85. Add comments from the admin panel?
  86. How can I limit the number of comments per registered user per day?
  87. One comment per user per post but be able to reply to existing comments
  88. How to use a custom comments template
  89. Comment visibility
  90. What’s the easiest way to close comments on media/attachments?
  91. Reverse comment pagination numbers
  92. Get comments for more than one post
  93. How can I add comments to a page?
  94. How to remove comment spam in WordPress
  95. Post Comments using WP REST API v2 in WordPress
  96. How to sanitize select box values in post meta?
  97. show number of open comments on custom dashboard
  98. Show content only if member left a comment
  99. Add placeholder attribute to comment form fields
  100. Does WordPress sanitize arguments to WP_Query?
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)