PHP Coding Standards, Widgets and Sanitization
These arguments contain arbitrary HTML and cannot be properly escaped. This is essentially a limitation on how Widgets code was designed and you can see in core Widget classes that no escaping is done on these. Lessons to learn: WP core doesn’t consistently adhere to its own coding standards (and getting there isn’t considered worth … Read more