Hi,
I’ve been soft rejected a couple of times for “Escaping Dynamic Content”. After the last time, I need some clarification.
Does this example below need escaping at the point of echo $output and if so, what would I use… wp_kses?
$output = ''; $output .= ''; $output .= ''; $output .= ''. esc_html( $titlevar ) .''; $output .= ''; $output .= ''; echo $output;
Thank you.
There’s no need for wp_kses here. The rejection might be due to not escaping translated strings, e.g.
__( 'My content..', 'text-domain' );
should be
esc_html__( 'My content..', 'text-domain' );
SubatomicThemes is right, however the impression I got is the reviewers search for ‘echo $’ and soft reject if anything comes up 
I eventually used wp_kses on any HTML output to be safe, seems to have done the trick.
I guess its a quick way of for the reviewers to check, even though sometimes it makes no sense, like in the @ACODA’s example above. I guess you could leave a comment at the end of the line:
echo $content; // Note to reviewer: All user input has been escaped. See above :)
Thanks for the reply.
All translation fields are escaped too.
I can’t work out, if because I’ve now used a variable ( $output ) that contains HTML, that $output itself, now needs to be escaped? If that’s the case, it would explain they say do a global search for ‘echo $’. Confused!
Did you use a specific array for wp_kses?
You just list out what is needed in terms of your HTML output. I used this for my widgets:
array( 'br' => array( 'class' => array() ) , 'small' => array( 'class' => array() ) , 'h1' => array( 'class' => array(), 'style' => array() ) , 'h2' => array( 'class' => array(), 'style' => array() ) , 'h3' => array( 'class' => array(), 'style' => array() ) , 'h4' => array( 'class' => array(), 'style' => array() ) , 'h5' => array( 'class' => array() ) , 'h6' => array( 'class' => array() ) , 'li' => array( 'class' => array() ) , 'small' => array( 'class' => array() ) , 'ul' => array( 'class' => array() ) , 'a' => array( 'class' => array(), 'href' => array() ) , 'i' => array( 'class' => array(), 'style' => array(), 'id' => array() ) , 'div' => array( 'class' => array(), 'style' => array(), 'id' => array() ) , 'span' => array( 'class' => array(), 'style' => array(), 'id' => array() ) , 'img' => array( 'width' => array(), 'height' => array(), 'alt' => array(), 'src' => array(), 'class' => array(), 'style' => array(), 'id' => array() ) , 'href' => array( 'class' => array(), 'style' => array(), 'id' => array() ) )