I had look at the code but I couldnt see any escaping on funcions like the_title the_content the_excerptetc. I might not be reading it right. Do I need to escape these functions in theme development like:
esc_html ( the_title () )
Edit: as pointed out in the answers below the above code is wrong regardless – the code should have read
esc_html ( get_the_title () )
Escaping depends entirely on the context in which you are using the functions. What is safe for displaying inside
<h1>tags, is not necessarily safe to display for thevalueattribute of an input field, and even that wouldn’t necessarily be safe as ahrefattribute value….In short – perform the sanitisation yourself as you output it. Though in the case of
the_title ()orget_the_title (),esc_htmlis not necessary, since WordPress applies the following functions:convert_charswptexturizeNote:
the_titleprints the title – soesc_html ( the_title () )won’t work. Similarly,the_contentprints the content (in any case, you’d expect the content to display HTML).Yes and no – depends on whether you want html in those functions to be output or not. If you escape
the_content(), for example, and it contains a<div>tag, that tag would actually be output to the page as<div>instead.By the way, if you do escape the output of those functions, you’ll want to use their “get_” equivalents (ex.
get_the_content()) as those functions echo their output directly.You can simply write a function like this and hook it to the_title filter: