Sanitization html output itself

The more elaborate data is, the harder it is to both formulate and implement sanitization process.

For a number this might be as simple as “integer” and (int)$number.

For HTML this is highly not trivial with different possibilities of desired scope (no HTML tags? some blacklisted tags? some whitelisted tags? what about embedded scripts? CSS?) and very challenging implementation.

While WP does have wp_kses() implementing sanitization of HTML, it’s relatively slow and its reputation is less than stellar (or so I read in context of other established sanitization libraries).

I would say that in question as stated, the practical expectation is that function engineered to act as template tag is expected to produce sanitized output.

If you don’t believe it to, it would probably make more sense to audit it (and report any discovered shortcomings to developer) rather than try to sanitize complex output.

Related Posts:

  1. WP Coding standards – escaping the inescapable?
  2. Should I sanitize an email address before passing it to the is_email() function?
  3. Escaping and sanitizing SVGs in metabox textarea
  4. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  5. Reason for Lowercase usernames
  6. What is the best way to sanitize data?
  7. Should nonce be sanitized?
  8. esc_url removes white space. Can I change that to using ‘-‘?
  9. Sanitatizing when using the posts_where hook
  10. Escape hexadecimals/rgba values
  11. Correct processing of `$_POST`, following WordPress Coding Standards
  12. Must I serialize/sanitize/escape array data before using set_transient?
  13. Echo JavaScript Safely
  14. wp_kses ignore allowed and allow everything
  15. Sanitize array callback for the WordPress Settings API
  16. Why the WP Core team does not allow filter_* functions? [closed]
  17. How to escape $_GET and check if isset?
  18. What’s a safe / good way to output HTML safely within WordPress templates?
  19. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  20. Sanitizing output that contains quotes?
  21. WP_Customize_Manager: How to get control ID
  22. How to use wp_filter_oembed_result?
  23. Post text sanitization after publishing/editing – changes are not saved
  24. wp_set_object_terms() without accents
  25. Escaping data from database (users table) is necessary?
  26. Properly sanitize an input field “Name “
  27. Why is WordPress code so “space-happy”?
  28. How safe / sanitized is wp_insert_posts()?
  29. What’s the difference between esc_* functions?
  30. Sanitizing integer input for update_post_meta
  31. Which KSES should be used and when?
  32. Is sanitize_text_field() is enough to save to DB?
  33. Escaping quotes from shortcode attributes
  34. How should I document function calls?
  35. PHP Coding Standards, Widgets and Sanitization
  36. How to sanitize select box values in post meta?
  37. Using global $post v/s $GLOBALS[‘post’]
  38. WP doesn’t show Array Custom Fields?
  39. Do Cookies Need to be Sanatized Before Being Saved?
  40. What is the difference between strip_tags and wp_filter_nohtml_kses?
  41. What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?
  42. I’m confused about URL sanitization in meta boxes
  43. How to set up phpcs with WordPress coding standard with PHP8?
  44. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  45. where to apply “apply filters” and other Sanitization Functions
  46. Can I use namespaces in my plugin?
  47. Is default functions like update_post_meta safe to use user inputs?
  48. PHPCS: Strings should have translatable content
  49. Who is responsible for data sanitization in WordPress development?
  50. How to sanitize user input?
  51. How to sanitize my cookie name
  52. Do We Need to Validate, Sanitize, or Filter Simple Numerical Superglobals (Cookies and Post)?
  53. WordPress mode for emacs?
  54. MITM risk of not sanitizing?
  55. Which escape function to use when escaping an email or plain text?
  56. WordPress Settings API – Sanitize Integer
  57. Is it better to create a function or a variable for current_theme_supports?
  58. Is wp_kses the right approach in sanitizing this string?
  59. Seeking clarity on data sanitization fields for settings textarea
  60. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  61. How to use sanitize_callback?
  62. Are all hooks/functions tied to Kses meant for sanitization?
  63. sanitize_text_field and apostrophe problem
  64. Getting error to display radio button value in General Settings page
  65. What data sanitzation function should be used to store entire source code of webpage?
  66. REQUIRED: Could not find wp_link_pages. See: wp_link_pages by Theme Checker
  67. What functions does WordPress use for filtering / sanitizing comments?
  68. Translate a Constant while appeasing WordPress PHPCS
  69. wordpress is adding a second backslash when I use addslashes
  70. WordPress messes up with data attributes in shortcode output
  71. textarea field is getting escaped for some unknown reason
  72. Do we need to escape data that we receive from theme options?
  73. Input sanitation
  74. How could I better initialize a method from my class?
  75. How WordPress sanitizes post content on save? Or it doesn’t?
  76. Is there a common structure for a wordpress formular?
  77. How to use checked() function with multiple check box group? How to properly sanitize that checkbox group?
  78. Can non-latin characters appear in slugs?
  79. Trouble matching strings (titles) using wp_query
  80. Sanitize WordPress Array Input?
  81. How to save Checkbox-Options in Plugin Options Page
  82. Should I use wp_cache in my plugin to make it faster?
  83. Customizer textarea with script tag won’t work in live preview
  84. Data Validation & Sanitization for Big HTML Blocks
  85. I need to get the control choices to sanitize_callback
  86. Standard technique for AJAX post endpoint: WP REST or WP API?
  87. Escaping WP_Query tax_query when term has special character(s)
  88. Escaping and sanitization
  89. PHP Code Sniffer – WordPress VIP Coding Standards
  90. Comparing pre-saved post_title to post-saved post_title
  91. Settings api sanatize callback not being triggered
  92. Auto post with filling templates from external data and update periodical
  93. Sanitizing a custom query’s clauses
  94. Customizer sanitize_callback for input type number
  95. How to automatically convert “normal” conditions to yoda conditions
  96. How can I properly sanitize the update_option in WordPress?
  97. Sanitize and Save metabox values
  98. esc_url, esc_url_raw or sanitize_url?
  99. How can one use variables in a template or template part without polluting the global scope?
  100. May I know where to edit the tax rate?