Properly escaping theme function

You don’t need to escape values that do not come from your DB or user input. For example, the return of get_the_time('Y') does not need to be escaped before output. The value is generated internally from the server’s time clock, there’s no opportunity for the value to become corrupted by bad actors. You can be sure the returned value will be nothing but a few digits.

When in doubt, go ahead and escape. Other than taking a bit more processing, it never hurts. Failing to escape when you should can be very bad for your visitors.

@bcworkz Thank you. I have updated it: https://pastebin.com/ikd9Kpqx

I tried escaping echo $cats;, but it just messes up the category section in the breadcrumb. It no longer stays a link.

The URLs inside of the get_category_parents() return are escaped internally. (the linked function is called by get_category_parents()) There’s no easy way to know when WP functions escape for you and which returns you still need to escape. Obviously the “when in doubt escape rule” is flawed. Saying it never hurts to escape was wrong of me. Going through and ensuring your otherwise working code is secure and can safely handle all situations and input is a significant part of coding.

Thank you for the input @bcworkz

Is there a list of functions that’s escaped by WordPress or we’ll need to cross reference the functions we use with the source code to verify?

Such a list would be awesome! Unfortunately, I’ve never seen such a list. Functions that output content will have escaped data. Returned data that is formatted for output (i.e. HTML) is probably escaped. Anything else probably needs to be escaped.

If you should encounter such a list, let us know ??

@bcworkz Thank you. That’s all regrading this issue. i’m marking this solved.

Thanks again for your time ??