1.I recently had soft rejection and one of the reason was: “All dynamic data must be correctly escaped for the context where it is rendered”.
I escaped all translatable strings, get_meta_fields but I wonder if I also have to escape “theme options” when they are echo’ed?
“Always use esc_url when sanitizing URLs, including WordPress related”. What about get_permalink(), etc?
get_permalink and other WP functions are sanitized so you don’t need to worry about them, but you do need to sanitize anything else including theme options as you don’t know what the user will input.