Dynamic Custom Code Escaping

Dear Bosses,
I have the following two snippets of code that render the custom code in the header.php and footer.php:

<!-- code before closing head tag -->
<?php echo $x_redux_option['x_code_before_head']; ?>
<!-- code before closing body tag -->
<?php echo $x_code_before_body; ?>

The data is coming from the redux framework dynamically.
And the options only accept code wrapped with script tags and HTML markup that is valid inside the tag for header and valid HTML markup for footer.

The fact is that the Mentor Themeforest shows the following errors:

  1. All dynamic data must be correctly escaped for the context where it is rendered. at file header.php, line 39: <?php echo $x_redux_option['x_code_before_head']; ?>

  2. All dynamic data must be correctly escaped for the context where it is rendered. at file footer.php, line 44: <?php echo $x_code_before_body; ?>


How can I escape this data? Will I use the wp_kses() function? But which HTML tags should I allow? How can I know which tags should be allowed?

Please, extend your helping hand as before. :slight_smile:
Thank you so much for taking the trouble to read.

Hi @anSRThemeAction,

I’d go with esc_html. Since you are going to echo HTML and scripts, wp_kses would need to allow pretty much all the tags. Your code is gonna look like this:

<!-- code before closing head tag -->
<?php echo esc_html( $x_redux_option['x_code_before_head'] ); ?>
<!-- code before closing body tag -->
<?php echo esc_html( $x_code_before_body ); ?>

I suppose you’re familiar with data escaping, however I’ll leave a link to official WordPress docs anyway:
https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/

Thanks,
Luca

1 Like

Thank you so much @LucaThemesCom for your generous help.
As you’re a moderator of this forum, I guess esc_html() would be the best practice for themeforest submission. Am I correct?

Oh, I guess you have answerd this on stackoverflow. Am I right? :slight_smile:

Oh, one thing more Mr Luca :slight_smile:

Is it required to sanitize data in my bundled plugin?

I’m actually a regular member of Envato forums with Moderator privilleges :slight_smile: I have answered on Stack, correct. The kind of escape function depends solely on the data you need to escape, you should use proper escape function when necessary.

You should always sanitize and escape data, for security reasons.

Thanks,
Luca

1 Like