YES. You always escape output that originally comes from user submitted data.
To be safe, you always escape variable output, period.
Related Posts:
- How to escape custom css?
- What’s the difference between esc_* functions?
- How Could I sanitize the receive data from this code
- Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
- how to sanitizing $_POST with the correct way?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- How safe / sanitized is wp_insert_posts()?
- When to use esc_html and when to use sanitize_text_field?
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- What is the difference between esc_html filter vs attribute_escape filter?
- What to use instead of wp_kses() in user output
- is_email() VS sanitize_email()
- Which KSES should be used and when?
- Do Cookies Need to be Sanatized Before Being Saved?
- Do you need to escape hard coded plain text?
- Do I need to use the esc_html() function on hard coded links?
- Sanitizing comments or escaping comment_text()
- Is default functions like update_post_meta safe to use user inputs?
- vs WordPress Security
- Something is unescaping all html entities before output to browser [closed]
- Is wp_kses the right approach in sanitizing this string?
- Is it sensible to worry about sanitizing admin input in plugin custom CSS?
- What is the safe way to print tracking code / pixel code before tag or tag
- Does meta-data need to be sanitized?
- should I escape a literal url added in functions.php
- How WordPress sanitizes post content on save? Or it doesn’t?
- esc_url, esc_url_raw or sanitize_url?
- SSL Error: unable to get local issuer certificate
- When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
- What does it mean to escape a string?
- Where does Internet Explorer store saved passwords?
- Infected Files – what to do [closed]
- Why does WordPress need my private ssh key to update?
- Why does WordPress have more than one salt?
- What is the ideal setup to address security concerns?
- Can someone explain the use cases of esc_html?
- Close a wordpress blog – keep site as it is but prevent hacks
- Escaping WP_Query tax_query when term has special character(s)
- Prevent setup-config.php page from appearing when host blocks database
- WordPress and Security
- Moving wordpress out of the public directory
- Escaping built-in WP function return strings
- Is /wp-login.php?redirect_to[] exploitable?
- brute force attack even though it is limited by IP
- What should I do about hacked server?
- How can I tell who changed the password?
- WordPress website Security [closed]
- How do I authenticate WP users from a chrome extension?
- Website is being flooded [closed]
- Is the “lost password” feature truly a vulnerability?
- why is esc_html() returning nothing given a string containing a high-bit character?
- Why was my blog post inserted lot’s of ad links by others?
- Should I Worry About SQL Injection When Using wp_insert_post?
- Auth cookie value security risk?
- Is there a way for a user to have an alias?
- Security – Shortcode injection attack
- Registration Plugin – Recaptcha integration
- Security threat with `home_url`?
- How to combat flooding admin-ajax.php?
- When is wp_set_password() called or how to capture a password
- Moving away from MD5: Where to declare the custom global $wp_hasher?
- Would it be dangerous to send all the wp_options to javascript file?
- Should I disable directory listing for wp-includes?
- How to get WordPress to send Password Reset Link Email instead of New Password?
- Safety side of storing emoji into database
- How can I safely hide the fact that my website runs on WordPress? [closed]
- How can I display nickname instead username in links
- My WordPress Websites are always under attack
- Is there value in using a wp_nonce for POST requests?
- How to hide easy access to my website temporarily?
- Can I Remove xmlrpc.php completely?
- How much should I worry about these messages?
- Security concerns with external links
- Uploading .webm format on WordPress results in security guidline breach and fail
- How to escape html generate by a loop
- Any any insecure http:// URLs left in wordpress?
- White screen of death on admin pages after moving wp-config up two levels for security
- Spam injected in w3 total cache page cache [closed]
- How to distinguish between a hack and an encoding error?
- Prevent editor from adding script or form
- How to change location of wp-config.php to folder or 2 folders up?
- Finding where a snippet of code is coming from
- Remove hacked code – out of ideas! [closed]
- After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
- Block JSON access over the net
- Can someone do something to my website if I posted a snapped image of the header and covered my logo? (On reddit, when explaining a question)
- The in-famous Unable to locate WordPress Content directory (wp-content) and the Direct Method
- Security: Critical backend outside of wordpress
- Advice On How to Backup WordPress
- My site thinks it’s secure when it is fact not
- Is it possible to only have the admin interface bind to the local loopback?
- Should I change the default file and folder permissions?
- WordPress exploited theme is causing high io load on server
- How to rewrite rules for WP-security in Nginx?
- How to set custom validation for WordPress Passwords?
- Is it a bad idea to CHMOD 777 all the files on your site?
- How to stop repeated hack on header.php of custom theme? [closed]
- Default installation permissions for wp-config.php
- Correct setup to block file modifications from hackers
- SSH keypair generation: RSA or DSA?