escaping

There are several issues here: echo esc_attr_e should be just esc_attr_e, the _e means it already echo’s esc_attr_e is not just an escaping function, it’s a localisation API, it’s shorthand for echo esc_attr( __( esc_attr strips out HTML, it’s intended for use inside HTML attributes where HTML tags are not allowed. You must never pass … Read more

The simple answer appears to be human error. Originally, during development, Twenty Twenty One had one menu, registered like this: ‘primary’ => __( ‘Primary Navigation’, ‘twentytwentyone’ ), Then somebody went through and added escaping to many __() throughout the theme, resulting in this: ‘primary’ => esc_html__( ‘Primary Navigation’, ‘twentytwentyone’ ), Then, later on, a second … Read more

I would suggest using esc_html instead of esc_attr for that, e.g. <a href=”https://wordpress.stackexchange.com/questions/185318/<?php echo esc_url( $url );?>” class=”<?php echo esc_attr( $classes ); ?>”> <?php echo esc_html( $title ); ?> </a> <div> <?php echo wp_kses_post( $html_with_safe_tags );?> </div> <script> <?php echo wp_json_encode( $data_for_js ); ?> </script> There is also: esc_html__ esc_attr__ etc ( escape translations too! … Read more

Yes, you do. Even if you have sanitised the value when saving it, you should always escape on output. <a href=”https://wordpress.stackexchange.com/questions/355618/<?php echo esc_url( get_theme_mod(“url’ ) ); ?>”> If you’re outputting a mailto: link to an email address, you also need to escape this with esc_url(), just make sure that the mailto: part is included in … Read more

It’s okay to use it more than once, but not encouraged. However, in your first example, you’re saving the URL to the database. When you do that, or when using the URL in the wp_remote_* context, or a redirect, or any other non-display context, you should be using esc_url_raw() instead. Also note that get_post_meta will … Read more