hello hope you all are having a good day, i made a social media plugin and wrapped all of its code in a shortcode to put into a plugin. now for the ease of use to the users of my theme i also call the shortcode for the users of my theme in the header so they don’t have to place it manually in the header all of the options is given to the user in its setting page. dont’ worry its completely compatible with any theme out there and me calling the shortcode in my theme is just for the sake of ease of use to the users of my theme. the thing is all of its content is properly escaped at every step but when i am echoing do_shortcode() in my theme do i need to escape it all again with wp_kses() or there is no need cause its near impossible to escape all of its content again now in just one function by specifying what to allow and what not to allow so if i simply echo it out like echo do_shortcode( '[_themename_social /]' ); it won’t be against the themeforest requirements right cause all of its content is already properly escaped and i know i should escape at the latest stage possible but i can’t just escape all of its content just here, its saves values to the database etc and has many escaping functions so all of the escaping needs to be done at the appropriate places
It is always best practice to escape at the very end when you actually echo
3 Likes
i used wp_kses() again to escape it if anyone is interested in the answer