I’m a complete neophyte when it comes to PHP, so I suspect this question has a simple answer that I’m just not able to find yet.
I’m using PHP Code Sniffer with WordPress Coding Standards to put together a basic wordpress plugin. A bunch of tutorial code I’ve encountered encouraged echoing content along the lines of:
echo $before_widget . $before_title . $title . $after_title;
Which works fine, but which PHP Code Sniffer raises a warning before each variable echoed of
expected next thing to be an escaping function not $VariableName.Intuitively, I don’t want to escape these variables – HTML contained in them should render properly, and it’s hard to see how an attacker could have changed the instance
$args object where
$before_widget etc. come from to introduce XSS vulnerabilities. But as I said, I’m new to PHP, WordPress, etc. and I’m not aware of what will have had access to these variables in full before I get them.
Long story short: Given I want the HTML to be rendered as HTML (I do not want to escape it), how should I either prepare them such that I am protected from any XSS issues I’m not aware of, or inform PHP Code Sniffer that these are not user input, and therefore are safe?