Do we need to escape data that we receive from theme options?

YES. You always escape output that originally comes from user submitted data.

To be safe, you always escape variable output, period.

Related Posts:

  1. How to escape custom css?
  2. What’s the difference between esc_* functions?
  3. How Could I sanitize the receive data from this code
  4. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  5. how to sanitizing $_POST with the correct way?
  6. Should I escape wordpress functions like the_title, the_excerpt, the_content
  7. How safe / sanitized is wp_insert_posts()?
  8. When to use esc_html and when to use sanitize_text_field?
  9. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  10. What is the difference between esc_html filter vs attribute_escape filter?
  11. What to use instead of wp_kses() in user output
  12. is_email() VS sanitize_email()
  13. Which KSES should be used and when?
  14. Do Cookies Need to be Sanatized Before Being Saved?
  15. Do you need to escape hard coded plain text?
  16. Do I need to use the esc_html() function on hard coded links?
  17. Sanitizing comments or escaping comment_text()
  18. Is default functions like update_post_meta safe to use user inputs?
  19. vs WordPress Security
  20. Something is unescaping all html entities before output to browser [closed]
  21. Is wp_kses the right approach in sanitizing this string?
  22. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  23. What is the safe way to print tracking code / pixel code before tag or tag
  24. Does meta-data need to be sanitized?
  25. should I escape a literal url added in functions.php
  26. How WordPress sanitizes post content on save? Or it doesn’t?
  27. esc_url, esc_url_raw or sanitize_url?
  28. SSL Error: unable to get local issuer certificate
  29. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  30. What does it mean to escape a string?
  31. Where does Internet Explorer store saved passwords?
  32. Infected Files – what to do [closed]
  33. Why does WordPress need my private ssh key to update?
  34. Why does WordPress have more than one salt?
  35. What is the ideal setup to address security concerns?
  36. Can someone explain the use cases of esc_html?
  37. Close a wordpress blog – keep site as it is but prevent hacks
  38. Escaping WP_Query tax_query when term has special character(s)
  39. Prevent setup-config.php page from appearing when host blocks database
  40. WordPress and Security
  41. Moving wordpress out of the public directory
  42. Escaping built-in WP function return strings
  43. Is /wp-login.php?redirect_to[] exploitable?
  44. brute force attack even though it is limited by IP
  45. What should I do about hacked server?
  46. How can I tell who changed the password?
  47. WordPress website Security [closed]
  48. How do I authenticate WP users from a chrome extension?
  49. Website is being flooded [closed]
  50. Is the “lost password” feature truly a vulnerability?
  51. why is esc_html() returning nothing given a string containing a high-bit character?
  52. Why was my blog post inserted lot’s of ad links by others?
  53. Should I Worry About SQL Injection When Using wp_insert_post?
  54. Auth cookie value security risk?
  55. Is there a way for a user to have an alias?
  56. Security – Shortcode injection attack
  57. Registration Plugin – Recaptcha integration
  58. Security threat with `home_url`?
  59. How to combat flooding admin-ajax.php?
  60. When is wp_set_password() called or how to capture a password
  61. Moving away from MD5: Where to declare the custom global $wp_hasher?
  62. Would it be dangerous to send all the wp_options to javascript file?
  63. Should I disable directory listing for wp-includes?
  64. How to get WordPress to send Password Reset Link Email instead of New Password?
  65. Safety side of storing emoji into database
  66. How can I safely hide the fact that my website runs on WordPress? [closed]
  67. How can I display nickname instead username in links
  68. My WordPress Websites are always under attack
  69. Is there value in using a wp_nonce for POST requests?
  70. How to hide easy access to my website temporarily?
  71. Can I Remove xmlrpc.php completely?
  72. How much should I worry about these messages?
  73. Security concerns with external links
  74. Uploading .webm format on WordPress results in security guidline breach and fail
  75. How to escape html generate by a loop
  76. Any any insecure http:// URLs left in wordpress?
  77. White screen of death on admin pages after moving wp-config up two levels for security
  78. Spam injected in w3 total cache page cache [closed]
  79. How to distinguish between a hack and an encoding error?
  80. Prevent editor from adding script or form
  81. How to change location of wp-config.php to folder or 2 folders up?
  82. Finding where a snippet of code is coming from
  83. Remove hacked code – out of ideas! [closed]
  84. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  85. Block JSON access over the net
  86. Can someone do something to my website if I posted a snapped image of the header and covered my logo? (On reddit, when explaining a question)
  87. The in-famous Unable to locate WordPress Content directory (wp-content) and the Direct Method
  88. Security: Critical backend outside of wordpress
  89. Advice On How to Backup WordPress
  90. My site thinks it’s secure when it is fact not
  91. Is it possible to only have the admin interface bind to the local loopback?
  92. Should I change the default file and folder permissions?
  93. WordPress exploited theme is causing high io load on server
  94. How to rewrite rules for WP-security in Nginx?
  95. How to set custom validation for WordPress Passwords?
  96. Is it a bad idea to CHMOD 777 all the files on your site?
  97. How to stop repeated hack on header.php of custom theme? [closed]
  98. Default installation permissions for wp-config.php
  99. Correct setup to block file modifications from hackers
  100. SSH keypair generation: RSA or DSA?