Should `get_template_directory_uri()` be escaped?

In that function we find a hook:

return apply_filters( 
    'template_directory_uri', 
    $template_dir_uri, 
    $template, 
    $theme_root_uri
);

So, yes, the URI can be changed by plugins, and you should escape its returned value.

The same principle applies to all WordPress URI functions, like get_home_url(), get_site_url() and so on. Keep in mind that there are not only good plugin developers out there. Some make mistakes, maybe just very small ones that happen only in some circumstances.

In case of wp_enqueue_style(), WordPress does escape the URL by default. But that is a wrapper for the global WP_Styles instance, and this in turn can be replaced easily – even with a less safe version. That’s not very likely, but you should be aware of this possibility.

Unfortunately, WP itself doesn’t follow the better safe than sorry directive. It doesn’t even escape translations. My advice is not to look at the core themes for best practices. Always look at the source of the data and see if it can be compromised.

Related Posts:

  1. Is it good to rename theme folder downloaded from WordPress.org?
  2. Using esc_url with a hard coded url
  3. correct tags for validating input types
  4. Should we escape the values of constants?
  5. How to add custom css file in theme?
  6. get_template_part vs action hooks in themes
  7. Do I actually need to link my theme’s style.css in the theme files
  8. CSS classes for theme
  9. How to remove search bar from a wordpress theme? [closed]
  10. My child theme doesn’t work Error: “The parent theme is missing. Please install your parent theme”
  11. Page template in two level deep folder
  12. Theme file for all pages that are a child of a specific page
  13. How to sanitize select box values in post meta?
  14. Worthwhile to restrict direct access of theme files?
  15. Child Theme not loading parent CSS
  16. Use of undefined constant FS_CHMOD_DIR – assumed ‘FS_CHMOD_DIR’
  17. How to show next Post Thumbnail image in WordPress using current post id
  18. Registering Sidebars and Sidebar Widgets. Sidebar Widgets Not Displaying
  19. How do I get a parent theme modification from a child theme?
  20. Removing the default sidebar from admin panel
  21. First post of each category
  22. how to pull wordpress post comments to a external page
  23. Why use while over if in single wordpress posts?
  24. WordPress website loads but is not displayed until page scrolled
  25. Create a theme by combining a parent and a child theme
  26. Theme Customizer not loading
  27. How to add oEmbed support to my theme?
  28. Single Theme folder for Multiple WordPress
  29. How i can get widgets areas working in customizer?
  30. How Can I Create a List of Values to Be Iterated Through via WordPress Customization API?
  31. Cutomize Colors utility: How to add more configurable colors to a theme
  32. If I build a custom theme, will it update?
  33. Recommended tools for Theme Development with SASS [closed]
  34. What tags should be used for themes to show the type of layout?
  35. What are non-printable characters doing in my theme?
  36. WordPress post arrangement using post_class
  37. Customize the previous_post_link output
  38. How can I let templates choose which stylesheets are enqueued?
  39. My Admin bar covers my sticky navbar [closed]
  40. Lightweight framework [closed]
  41. How to edit my theme for full width?
  42. Edit footer via customizer
  43. loading blank white screen of slide
  44. Migrated WordPress site renders Chinese
  45. Echo all category names, apart from one
  46. Customizer – loading settings/controls/sections/panels based on a id/page id
  47. Overrite parent functions using child functions
  48. Does code in function.php differ from theme to theme
  49. How can I change the theme of different posts using a plugin?
  50. How to Have a Pure HTML Sub Directory In WP Site
  51. Theme not showing up
  52. Theming Using Bootstrap Glyphicons and WordPress Dashicons
  53. Change image size depending on page
  54. What are the critical theme files when building a custom theme?
  55. Having issue with WordPress wp_enqueue_style
  56. Starting point for custom Themes [closed]
  57. Why still output /wp-content/themes/twentynineteen?
  58. get_header action not working
  59. Unable to change the priority with ‘remove_action’ and ‘add_action’ in child theme
  60. Remove h1 from 2015 theme
  61. WordPress pulling in random page themes
  62. Some doubts about WordPress handle the horizontal main menu visualization
  63. Filter didn’t work on content class (hybrid_post_attributes)
  64. Can’t change theme name
  65. How to remove permalinks links presents in each page of my site?
  66. Is there a way to serve different resolution images to different devices?
  67. How to make a function occurs for one time?
  68. How do I restructure the comment HTML layout?
  69. Custom Enfold theme tab layout not compatible with WPML
  70. Theme: dropdown hover menu not showing up in IE/Edge
  71. Problem with pagination link (error 404)
  72. how to ensure responsiveness in wp themes? [closed]
  73. How to test another theme in a live WordPress website instead of live preview?
  74. home is not working in wordpreess
  75. Is there a way to create sections under “Colors” panel in the Theme Customizer?
  76. Local theme changes upload on server but theme changes not showing
  77. WordPress Custom font not found
  78. Can’t upload images on new theme
  79. New created Theme leads to malfunctioning Xampp Apache –> functions.php is cause
  80. WordPress Blog Page displaying nothing
  81. Primary Menu Showing All Pages With No Sub-Nav
  82. Magnific Popup – Add Caption to Images
  83. Why do WordPress developers use so many opening and closing PHP tags when developing themes? [duplicate]
  84. Safe way to echo wp_trim_words
  85. How can I demonstrate themes well?
  86. Why the slideshow is not shown in my theme?
  87. How to update my own theme?
  88. WordPress custom jquery not found
  89. Displaying Tags for the Page I’m On?
  90. Custom link color or stylesheets
  91. How to make navigation a list without a plugin? [duplicate]
  92. Showcase your wordpress themes [closed]
  93. What is The Best Way to Make Parallax header effect for wordpress theme ?? pure CSS or using JavaScript? [closed]
  94. How to remove proudly created by WordPress in theme?
  95. Roll my own theme or customize an existing one [closed]
  96. Why do some sites show themes/”themename” as the only theme?
  97. How do I add new layout width options in WordPress editor?
  98. How to make a multilingual wordpress site to be translated one-to-one without much effort and without using translate?
  99. Is there a way to have WordPress autodetect page templates in the page-templates directory and any sub-folders?
  100. My wordpress site memory exhausted more than 1GB trying to debug with default

Leave a Comment