Should you escape these?
$date_format="Y/m/d";
$time_format = get_option( 'time_format' );
No. That would be early escaping! Early escaping is very bad!
However, should you escape this?
echo'<td>'.$date .' '.$time.'</td>';
YES.
Escaping is not about wether it’s needed or not, if you ever find yourself saying “It shouldn’t be a problem because it’s always a” stop yourself and escape.
Escaping is about enforcing assumptions and expectations. Why trust that it will be safe when you can escape and guarantee that it’s safe?
This protects you in multiple ways, e.g. if you use esc_html you’ve guaranteed the string will never contain HTML, even if you make changes in the future further up, filters get added, etc, you always know that it’s safe because you escaped at the moment of output.
Related Posts:
- What characters do I need to escape in XML documents?
- What characters must be escaped in HTML 5?
- How can I selectively escape percent (%) in Python strings?
- How do I escape a single quote in jQuery?
- Escape Character in SQL Server
- How to escape apostrophe (‘) in MySql?
- Should HTML output be passed through esc_html() AND wp_kses()?
- How to prevent escaping when saving HTML code in an option value?
- How to correctly escape query variables to be used in WP_Query
- esc_attr / esc_html / esc_url in echos
- When do I need to use esc_html()? [duplicate]
- what’s different between esc_attr, htmlspecialchars and htmlentities
- Allow all attributes in $allowedposttags tags
- When outputting a static string to the page, is it necessary to escape the output?
- How Flexible are the WordPress Coding Standards for PHPCS?
- why is esc_html() returning nothing given a string containing a high-bit character?
- How to properly escape a translated string?
- Translate a Constant while appeasing WordPress PHPCS
- Using esc_url() on a url more than once
- Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
- How to allow   with wp_kses()?
- Using esc_attr_e
- Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
- Escaping crashes my output
- How to safely escape the title attribute
- How to safely escape data that contains HTML attributes
- Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
- Echoing a URL to a link
- wp_kses_post escaping doesn’t appear to work as described?
- file_get_contents | escaping doesnt show the page
- Help about Escaping
- How to keep specific tag from an html string?
- Escaping Issues
- Escaping and Special Characters (e.g. &)
- How should esc_url be combined with trailingslashit?
- Correct way of using esc_attr() and esc_html()
- Uses for the ‘"’ entity in HTML
- How can I add ” character to a multi line string declaration in C#?
- Escape quotes in JavaScript
- How is \\n and \\\n interpreted by the expanded regular expression?
- Why shouldn’t `'` be used to escape single quotes?
- Escaping HTML strings with jQuery
- What’s the Use of ‘\r’ escape sequence?
- How do I escape ampersands in XML so they are rendered as entities in HTML?
- Unrecognized escape sequence for path string containing backslashes
- What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- What is the difference between esc_html filter vs attribute_escape filter?
- Sanitize and data validation with apply_filters() function
- How to print translation supported text with HTML URL
- How do translated, escaped strings (esc_attr) in Themes work?
- how to escape wp_oembed_get for phpcs
- How to escape html code with html allowed
- esc before saving or before displaying does it matter?
- Updating a post without escaping ampersands?
- Escape hexadecimals/rgba values
- Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
- wp_specialchars and wp_specialchars_decode in a shortcode plugin
- Must I serialize/sanitize/escape array data before using set_transient?
- I am not understandinhg $wpdb->prepare correctly
- esc_attr not working in shortcode
- meta_query works locally but not on live server
- How do I escape a table name or column name in SQL? esc_sql doesn’t do this
- Sanitizing, Validating and Escaping in WordPress (Plugin)
- Escaping / encoding data before insert into a database?
- Escape when echoed
- How to sanitize user input?
- Should I always prefer esc_attr_e & esc_html_e instead of _e?
- Does balanceTags() provide any escaping / protection?
- WP_Editor – Saving Value into Plugin Option – Stripping HTML
- Is it necessary to escape LIKE term in WP_User_Query?
- Post Content, Special Characters and Filters
- Updating post data on save (save_post vs wp_insert_post_data)
- What is the safe way to print tracking code / pixel code before tag or tag
- How to escape attachment image caption text?
- mysql_real_escape_string() vs. esc_sql() in WordPress
- Allow HTML in Settings API input field
- Do we need to escape data that we receive from theme options?
- Trouble inserting string containing quotations marks with wpdb in save_post hook
- How to be escape Variables and options when echo?
- Why would you use esc_attr() on internal functions?
- How to safely return the HTML?
- product description text displays above website when in shop page [closed]
- Should I escape the html for the settings field created with add_settings_field?
- escape html in jQuery for WordPress
- echo cutom css code to WordPress page template file ? is this safe?
- Remove pre and code tags from WordPress
- Correct form of escaping and localization – functions.php breadcrumbs
- Escaping a Single Quote in str_replace for Nav Function
- wp_kses allow checkbox class and checked
- Escaping html for meta description
- Escaping and sanitization
- Escaping WP_Query tax_query when term has special character(s)
- How to display post meta data in secure manner
- Where is escaped the shortcode?
- Escaping a shortcode so it displays as-is [duplicate]
- Using `esc_attr( get_block_wrapper_attributes() )`, results in `class=””wp-block-foo””`
- Escaping admin_url output being passed to js (esc_js vs esc_url)
- Escaping inline JS correctly
- How do I return XML to an API post request