I’m a complete neophyte when it comes to PHP, so I suspect this question has a simple answer that I’m just not able to find yet.

I’m using PHP Code Sniffer with WordPress Coding Standards to put together a basic wordpress plugin. A bunch of tutorial code I’ve encountered encouraged echoing content along the lines of:

echo $before_widget . $before_title . $title . $after_title;

Which works fine, but which PHP Code Sniffer raises a warning before each variable echoed of expected next thing to be an escaping function not $VariableName.Intuitively, I don’t want to escape these variables – HTML contained in them should render properly, and it’s hard to see how an attacker could have changed the instance $args object where $before_widget etc. come from to introduce XSS vulnerabilities. But as I said, I’m new to PHP, WordPress, etc. and I’m not aware of what will have had access to these variables in full before I get them.

Long story short: Given I want the HTML to be rendered as HTML (I do not want to escape it), how should I either prepare them such that I am protected from any XSS issues I’m not aware of, or inform PHP Code Sniffer that these are not user input, and therefore are safe?

Read more here: How should html variables be prepared in php (and specifically, WordPress) before echoing


If you know the solution of this issue, please leave us a reply in Comment section, to update the question.

Wordpress related questions and answers: