You don’t need to escape the_content as WP does it, itself, including wp_kses and wp_sanititize
This is not true, @Gareth_Gillman - WP escapes nothing in the content for you or anyone
Read this: Reporting Security Vulnerabilities – Make WordPress Core
And this: the_title() | Function | WordPress Developer Resources
And this: the_content() | Function | WordPress Developer Resources
As you can see A) nothing will be escaped whatsoever, and B) it also does not sanitise whatsoever.
The entire point of a blogging software is to post things, and that includes as for example @subsolar mentioned, iFrames.
And WP cannot magically guess what you will be including and what not.
That is why it forbids such things to low trust users, but as an Admin you can save whatever you want, and it will display, as long you do not escape the_content, which you really should not do.
Jut check theme Twenty One for reference on how to do things, that is a flagship theme and is certainly not missing an escape on the_content because of bad coding, but because it is not adequate to escape such content.
And this below certainly is no better: it does not escape or sanitise anything at all if you pass it thru a filter. Worse, it actually makes the content you pass to it filterable and thus, all escaping done before would be gone.
echo apply_filters(‘the_content’, get_field(‘content_field’);
@subsolar - to allow an iframe to display in your Post Content you don’t need to do anything. You just need to make sure to use the_content as it is intended to be used.
If you have the iframe in a Custom Field, you perhaps want to pass it thru wp_kses_post which would allow for iframe, but remove forms, for example.
if you want to allow forms, you could use a custom instance of wp_kses instead
None of those are used on the_content, however, and it might be totally unnecessary to apply to your content output, depending what it is and who saved it.
For example, if only admins can save your content, then there is no need to escape that - you can just go with the same approach as the_content does (which does NOT escape a thing, please understand this, it is very important).
However as soon an editor or a filter can alter your content you might want to think about escaping. Although, that said, the_content also does not care about this, and passes thru filters, so… there’s a really thin line between “just do because they tell you to” and “does it actually make sense”?
I Investigated escaping and sanitising in depth because of this, and discovered that actually core code is mostly unescaped, and unsanitized. It is mostly important when you have arbitrary input, and possible untrusted output. Which is technically seen the case for the_content as well, but with a mix of permissions, it is plain simple not escaped on output, and left to the caps check to make sure no unwanted content is saved/output. There is nothing wrong in doing the same, but you need to be sure about the purpose and access (caps) of said content. Most often, you can apply a custom wp_kses allowing just the HTML you want, in those cases.