Wordpress Questions: Can i trust data from get_posts, get_the_title etc?

Hello i have question related to data escaping in wordpress. Ofc i saw documentation related to this thing and multiple topics here on forum. However few sources says different things.

Can i trust data from get_posts, get_the_title etc? (its obv that i dont have to worry about the_title etc)

You can trust the data if it’s directly from WordPress. You don’t need to use esc_ but if you have custom inputs, for example, in your theme options if you have a link area, you need to use it.

Actually neither the_title or get_the_title are HTML escaped because WordPress accepts HTML in post title field. So if it accepts HTML it should not be escaped. Only time when you need to escape it is when you are putting title in some HTML attribute in which case you need to use the_title_attribute function.

P.S. I thought it would depend on unfiltered_html permission, but it doesn’t seem like that’s the case. It seems like you can add for example <script>alert("test")</script> in page title even without unfiltered_html permission. Can someone confirm this? :confused:

1 Like