Question about escaping dynamic data



Hi, I have two questions:

1.I recently had soft rejection and one of the reason was: “All dynamic data must be correctly escaped for the context where it is rendered”.
I escaped all translatable strings, get_meta_fields but I wonder if I also have to escape “theme options” when they are echo’ed?

  1. “Always use esc_url when sanitizing URLs, including WordPress related”. What about get_permalink(), etc?


get_permalink and other WP functions are sanitized so you don’t need to worry about them, but you do need to sanitize anything else including theme options as you don’t know what the user will input.


Thanks for the answer.

So why they wrote " including WordPress related"?


Just for clarifacation: get_permalink is not escaped, but the_permalink is. It looks like all “get_” link functions need to be escaped.