Data Validation Soft Reject



Hello! There is the following code:

<?php $audio = get_post_meta($post->ID, '_format_audio_embed', true); ?>
<?php if(wp_oembed_get($audio)): ?>
  <?php echo esc_html(wp_oembed_get($audio)); ?>
<?php else: ?>
  <?php echo esc_html($audio); ?>
<?php endif; ?>

The reject reason is: “all dynamic data must be correctly escaped for the context where it is rendered. Please perform a global search for “echo $” and you will see several issues”. After reason goes link to my code, but I don’t understand how can I escape $audio, because it’s may be HTML code for Soundcloud (for example). Thanks in advance.


Use wp_kses() function and create an array of allowed tags:


What $audio will render?

In short:
If it renders a link then esc_url()
If it renders plain html, then esc_html__e / esc_html__
If it renders attribute, then esc_attr()

Or, study this page: