The answer is: of course they are not – otherwise you couldn’t use them to save them in DB.
But… the answer to your question isn’t so easy.
Sanitizing is a process of preparing data for storing in DB. So for example if you insert some illegal characters in post_name, then it will be removed, so the post_name is sanitized, before saving. If you use color picker in Customizer, then you should sanitize it (checking if it really is a color and not some random string) before saving. And so on.
But sanitized data can still be dangerous. You can use “>” character in title, so title containing it will be sanitized. But of course you can’t print it in HTML of your code.
That’s where escaping joins the game. Escaping is a process of making data from DB secure for HTML code (based on context). Remember that the same title should be escaped in a different way when it’s printed inside tag (then you should use esc_html
), than when it’s used as html attribute (you should use esc_attr
) and so on.
So yes – you should always sanitize your data before storing it in DB and always use correct way of escaping based on given context.