Don’t get confused with escaping data in WordPress

When you create WordPress themes to be used in different sites, you need to be careful about handling the data which is coming into WordPress as well as the data which you are presenting to users. Escaping data in WordPress is something that you need to consider.

Escaping

We can call Escaping as securing output. You can prevent the XSS attack by escaping data in WordPress. It also ensures display of data the way user wants.

You can convert the special HTML characters into HTML entities through escaping so that rather than being executed, they are displayed.

Example: While displaying the chat messages, Facebook escapes them. They do this to ensure that the users do not run code on one another’s computers.

Escaping depends completely on the setting in which you are utilizing the functions. What is alright to display inside <h1> labels, is not really safe to show for the value attribute of an information field, and even that wouldn’t really be sheltered as an href attribute value.

In short – perform the sanitisation yourself as you output it. Though in the case of the_title() or get_the_title(), esc_html is not necessary, since WordPress applies the following functions:

convert_chars
wptexturize

Note: the_title prints the title – so esc_html ( the_title () ) won’t work. Similarly, the_content prints the content (in any case, you’d expect the content to display HTML).

It depends on what you’re doing, actually. Escaping should be done on any unknown variables on output.

For example, there’s no need to escape this:

if ( 1 === get_theme_mod( 'some_number', 1 ) )

    echo 'Hello';

However, you’d escape this:

echo esc_url( get_theme_mod( 'some_url', 'http://wordpress.org' ) );
Should get_theme_mod() be escaped?  Possibly.A better question is should variables be escaped on output or should variables be sanitized on input?  Yes, to both.

Sanitizing

We can call Sanitizing as the cleaning of user input. This process involves removal of texts, characters or codes from the input which are not allowed.

Validating

We can call Validating as the process of checking user input. The purpose of validating is to see whether the user has entered the valid value or not.