Escaping Issues

The point of escaping is to make sure that when a value is output, it cannot output anything malicious, or that would just break the markup of the page. For example, when outputting a variable, you will want to escape certain characters so that the value can’t unintentionally open or close HTML tags, which could break the layout of your page, or even output a <script></script> element that could run malicious JavaScript.

WordPress VIP’s documentation has a great overview of the concept, with examples: https://wpvip.com/documentation/vip-go/validating-sanitizing-and-escaping/

Regarding your specific examples:

Must I escape variables, if it is, how can I do it?

For example: global $redux_demo;

in this code:

    if ( class_exists( 'Redux' ) ) {
        global $redux_demo;
    if ($redux_demo['button-set-single-archive-services'] == 2)
    {
        get_template_part( 'demo-archive-services' );
        die;```

No. Not all variables need to escaped. Variables only need to be escaped when output. $redux_demo is not being output, so nothing here needs to be escaped.

Is it true escaping?

<?php esc_html_e( 'Our Services', 'hekim' )?>```

Yes. _e() is a function that allows the 'Our Services' string to be replaced by a translation. This means that you can’t trust that the output of this line will always be safe. Therefore it needs to be escaped. esc_html_e() is a function that automatically escapes with esc_html(), after running _e() to allow the text to be translated.

Functions start with the, need escaping or not?

For example : <?php the_title(); ?>

If I change these functions with the functions start with get, do
they need escaping? Is there any difference about output with
functions start the and functions start get?

As a general rule, built in functions that start with the_ don’t need to be escaped, but functions starting with get_ do need to be escaped. For example, the_permalink() uses esc_url() to escape get_the_permalink() before outputting it.

Why this escaped function doesnt seem?

After escaped this phare, it doesnt seem.What is my mistake in escaping? What is the true form?

<li><?php esc_html( '<a href="#"> HOME </a>' ); ?>xx</li>

The point of esc_html() is to prevent any HMTL in the value from being interpreted as HTML. There is nothing in this example that needs to be escaped. If the link URL was a variable, that would need to be escaped.

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. What characters must be escaped in HTML 5?
  3. How can I selectively escape percent (%) in Python strings?
  4. How do I escape a single quote in jQuery?
  5. Escape Character in SQL Server
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. How to correctly escape query variables to be used in WP_Query
  10. esc_attr / esc_html / esc_url in echos
  11. When do I need to use esc_html()? [duplicate]
  12. what’s different between esc_attr, htmlspecialchars and htmlentities
  13. Allow all attributes in $allowedposttags tags
  14. When outputting a static string to the page, is it necessary to escape the output?
  15. How Flexible are the WordPress Coding Standards for PHPCS?
  16. why is esc_html() returning nothing given a string containing a high-bit character?
  17. How to properly escape a translated string?
  18. Translate a Constant while appeasing WordPress PHPCS
  19. Using esc_url() on a url more than once
  20. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  21. How to allow &nbsp with wp_kses()?
  22. Using esc_attr_e
  23. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  24. Escaping crashes my output
  25. How to safely escape the title attribute
  26. How to safely escape data that contains HTML attributes
  27. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  28. Echoing a URL to a link
  29. wp_kses_post escaping doesn’t appear to work as described?
  30. file_get_contents | escaping doesnt show the page
  31. Help about Escaping
  32. How to keep specific tag from an html string?
  33. Escaping and Special Characters (e.g. &)
  34. Escaping get_option( ‘time_format’ ) is nesserary?
  35. Uses for the ‘"’ entity in HTML
  36. How can I add ” character to a multi line string declaration in C#?
  37. Illegal Escape Character “\”
  38. Escape quotes in JavaScript
  39. How is \\n and \\\n interpreted by the expanded regular expression?
  40. Why shouldn’t `'` be used to escape single quotes?
  41. What does it mean to escape a string?
  42. Escaping HTML strings with jQuery
  43. What’s the Use of ‘\r’ escape sequence?
  44. How do I escape ampersands in XML so they are rendered as entities in HTML?
  45. Unrecognized escape sequence for path string containing backslashes
  46. What’s the difference between esc_html, esc_attr, esc_html_e, and so on?
  47. Should I escape wordpress functions like the_title, the_excerpt, the_content
  48. What is the difference between esc_html filter vs attribute_escape filter?
  49. Sanitize and data validation with apply_filters() function
  50. How to print translation supported text with HTML URL
  51. How do translated, escaped strings (esc_attr) in Themes work?
  52. Escaping WP_Query tax_query when term has special character(s)
  53. Do I need to escape data passed to wp_localize_script()?
  54. how to escape wp_oembed_get for phpcs
  55. How to escape html code with html allowed
  56. esc before saving or before displaying does it matter?
  57. Updating a post without escaping ampersands?
  58. Prevent add_shortcode from escaping a tag
  59. Escape hexadecimals/rgba values
  60. Whats the safest way to output custom JavaScript and Css code entered by the admin in the Theme Settings?
  61. wp_specialchars and wp_specialchars_decode in a shortcode plugin
  62. Sanitizing comments or escaping comment_text()
  63. Must I serialize/sanitize/escape array data before using set_transient?
  64. I am not understandinhg $wpdb->prepare correctly
  65. esc_attr not working in shortcode
  66. meta_query works locally but not on live server
  67. How do I escape a table name or column name in SQL? esc_sql doesn’t do this
  68. Sanitizing, Validating and Escaping in WordPress (Plugin)
  69. Escaping / encoding data before insert into a database?
  70. Escape when echoed
  71. How to sanitize user input?
  72. Should I always prefer esc_attr_e & esc_html_e instead of _e?
  73. Does balanceTags() provide any escaping / protection?
  74. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  75. Is it necessary to escape LIKE term in WP_User_Query?
  76. Post Content, Special Characters and Filters
  77. Updating post data on save (save_post vs wp_insert_post_data)
  78. What is the safe way to print tracking code / pixel code before tag or tag
  79. How to escape attachment image caption text?
  80. mysql_real_escape_string() vs. esc_sql() in WordPress
  81. How to escape multiple attribute at once in WordPress?
  82. Trouble inserting string containing quotations marks with wpdb in save_post hook
  83. How to be escape Variables and options when echo?
  84. Why would you use esc_attr() on internal functions?
  85. Is there any solution, ide/tool etc., for automatic escaping for WordPress?
  86. How to safely return the HTML?
  87. product description text displays above website when in shop page [closed]
  88. how can i send this to wp_head – escape problem
  89. Should I escape the html for the settings field created with add_settings_field?
  90. how to unescape wordpress output
  91. How to use wp_filter_oembed_result?
  92. Escaping a WPDB Object in One Shot
  93. Escaping html for meta description
  94. Render the metabox input values as HTML
  95. Escaping WP_Query tax_query when term has special character(s)
  96. Where is escaped the shortcode?
  97. Escaping a shortcode so it displays as-is [duplicate]
  98. problem with quotes on new post
  99. Using `esc_attr( get_block_wrapper_attributes() )`, results in `class=””wp-block-foo””`
  100. Escaping admin_url output being passed to js (esc_js vs esc_url)