The security risk here is not about the plain text but about translation. You should note that esc_html_e is not only a function for escaping HTML but also for localization (l10n). I.e. other people can translate this String but you don’t know what the translation would be. It is possible that somebody translates the String … Read more
Yes it does. Escaping depends on context and in worst case like using esc_html when writing directly to the DB are just a security hole. Even if there is no security issue, there is theoretical one. The user asked you to store A, and you are storing B. In a simple cases B is exactly … Read more
I just installed SyntaxHighlighter Evolved, and while testing on an existing post I was dismayed to find that all the quotes ” had been converted to " (the single quotes were fine). I was using the HTML editor. In case you are also in this position, I found that it’s just the post preview that … Read more
You are looking for wp_kses(). https://developer.wordpress.org/reference/functions/wp_kses/ There are more helper functions like wp_kses_post() and wp_kses_data()
You can look at the Codex. Encodes < > & ” ‘ (less than, greater than, ampersand, double quote, single quote). Will never double encode entities. Given that, arguably, both of those strings need sanitization. Imagine a site name like >> “My” Website’s Great Title <<” Also, since you are using this in Javascript, you … Read more
No, escaping should happen at the moment of output ( late escaping ) so that we know that it only occurs once. Double escaping can allow specially crafted output to break out. By escaping, we’re talking about functions such as esc_html, wp_kses_post, esc_url, etc. Sanitizing functions and validating functions are not the same, e.g. sanitize_textfield. … Read more
Note that the WPCS standards for PHPCS are not “official”. I am one of the maintainers, and all that we can do is to do our best to match the standards that WordPress suggests. In this case, I’m unsure how you would escape the output from wp_oembed_get(). The function may indeed need to be escaped … Read more
These arguments contain arbitrary HTML and cannot be properly escaped. This is essentially a limitation on how Widgets code was designed and you can see in core Widget classes that no escaping is done on these. Lessons to learn: WP core doesn’t consistently adhere to its own coding standards (and getting there isn’t considered worth … Read more
As far as I know wp_localize_script doesn’t escape data any more than is necessary to produce valid JSON, and everything is sent as a string. The function was originally designed to allow translating the strings used in your JS into other languages (hence the “localize” part of the function name). So if the data you’re … Read more
I’m not sure if this is a bug, but it need further investigation. I’ve run a few quick tests on the name field in a tax_query, and whenever a term name has got a special character or have more than one word, the tax_query is excluded from the SQL query TEST 1 I have use … Read more