Should you escape these?
$date_format="Y/m/d";
$time_format = get_option( 'time_format' );
No. That would be early escaping! Early escaping is very bad!
However, should you escape this?
echo'<td>'.$date .' '.$time.'</td>';
YES.
Escaping is not about wether it’s needed or not, if you ever find yourself saying “It shouldn’t be a problem because it’s always a” stop yourself and escape.
Escaping is about enforcing assumptions and expectations. Why trust that it will be safe when you can escape and guarantee that it’s safe?
This protects you in multiple ways, e.g. if you use esc_html
you’ve guaranteed the string will never contain HTML, even if you make changes in the future further up, filters get added, etc, you always know that it’s safe because you escaped at the moment of output.
Related Posts:
- What characters do I need to escape in XML documents?
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- Escape Character in SQL Server
- How to escape apostrophe (‘) in MySql?
- Should HTML output be passed through esc_html() AND wp_kses()?
- How to prevent escaping when saving HTML code in an option value?
- How to correctly escape query variables to be used in WP_Query
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Allow all attributes in $allowedposttags tags
- When outputting a static string to the page, is it necessary to escape the output?
- How Flexible are the WordPress Coding Standards for PHPCS?
- why is esc_html() returning nothing given a string containing a high-bit character?
- How to properly escape a translated string?
- Translate a Constant while appeasing WordPress PHPCS
- Using esc_url() on a url more than once
- Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
- How to allow   with wp_kses()?
- Using esc_attr_e
- Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
- Escaping crashes my output
- How to safely escape the title attribute
- How to safely escape data that contains HTML attributes
- Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
- Echoing a URL to a link
- wp_kses_post escaping doesn’t appear to work as described?
- file_get_contents | escaping doesnt show the page
- Help about Escaping
- How to keep specific tag from an html string?
- Escaping Issues
- Escaping and Special Characters (e.g. &)
- How to Git stash pop specific stash in 1.8.3?
- What are all the escape characters?
- Which characters need to be escaped when using Bash?
- Escape string Python for MySQL
- How do I use spaces in the Command Prompt?
- With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
- Best Practice for PHP
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- Escaping and sanitizing SVGs in metabox textarea
- Difference between esc_url() and esc_url_raw()
- Which WP functions do you need to use esc_html() or esc_url() on?
- What’s the difference between esc_* functions?
- What to use instead of wp_kses() in user output
- How to escape custom css?
- How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
- PHP Coding Standards, Widgets and Sanitization
- Should messages in WP_Error already be html escaped?
- When do I need to use esc_attr when using WordPress internal functions
- Disable escaping html
- Do you need to escape hard coded plain text?
- Escaping built-in WP function return strings
- How do I stop HTML entities in a custom meta box from being un-htmlentitied?
- Why should I escape translatable strings? and how shall i do that?
- esc_url not working within add_settings_field callback
- Do I need to use the esc_html() function on hard coded links?
- How Could I sanitize the receive data from this code
- Should you escape hardcoded URLs?
- Quotes being escaped inside wp_editor when saved with wp_kses_post
- When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
- Escape post image attachments added to template
- wp_query not searching with apostrophe
- Which escape function to use when escaping an email or plain text?
- Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?
- Base64 & JSON Encode array in PHP, use as HTML data attribute, decode and parse in JavaScript …. with proper Escaping
- Something is unescaping all html entities before output to browser [closed]
- How to get my post title to work with an apostrophe (‘s)?
- Securing/Escaping Output of file content – reading via fread() in PHP
- WordPress stripping away backslashes from HTML
- esc_js() breaks unicode sequences by removing the slash ‘\’ character
- Unexpected esc_html and esc_attr behaviour
- HTML escaping data with ajax requests
- Allow HTML in Settings API input field
- Do we need to escape data that we receive from theme options?
- should I escape a literal url added in functions.php
- How to allow single quote with esc_html__() without sprintf()
- Proper way to use esc_html__ and esc_attr__ etc for escaping value for translation
- Wrapping add_query_arg with esc_url not working
- ACF Unexpected T_CONSTANT_ENCAPSED_STRING [closed]
- How to pass an array as attribute of shortcode to work properly shortcode parser?
- wordpress post not showing my “” text>?
- escape html in jQuery for WordPress
- echo cutom css code to WordPress page template file ? is this safe?
- Remove pre and code tags from WordPress
- Correct form of escaping and localization – functions.php breadcrumbs
- Escaping a Single Quote in str_replace for Nav Function
- wp_kses allow checkbox class and checked
- Escaping html for meta description
- How to make MySQL search queries with quotes
- Escaping WP_Query tax_query when term has special character(s)
- Escaping and sanitization
- Escape html structure in php
- site_url() returns with additional backslashes
- How to display post meta data in secure manner
- Code auto escaping is not working when using short codes
- Allow iframe in custom meta box
- how to sanitizing $_POST with the correct way?