Escaping output fields ( the_content() )

To make the themes more secure, every echo $something output must be serialized. Nothing wrong with that, this is how it should be.

However, the_content() outputs everything. You can use <script> tags in it, which is kind of vulnerable and defeats the purpose of escaping everything else. If we escape it with echo wp_kses_post(get_the_content) , it no longer can contain iframes and now the native video embedding of Worpdress doesn’t work.

How you deal with this and what is your solution to the problem?

You don’t need to escape the_content as WP does it, itself, including wp_kses and wp_sanititize

https://code.tutsplus.com/articles/data-sanitization-and-validation-with-wordpress--wp-25536 should give you a good understanding of when and where to santiuze.

But why then the content alows script tags? Isn’t this vulnerability?

allowing script tags isn’t bad, it’s allowing certain elements within the tags, WordPress filters out stuff that shouldn’t be there.

Alright, what is then the preferred way if say we have a WYSIWYG custom field and we want to output it?

$content = get_field('content_field');

echo $content - Envato will reject our theme because it is not escaped.
echo wp_kses_posts($content) - This will remove YouTube and similar video embedding.

something like:

echo apply_filters('the_content', get_field('content_field');