Should messages in WP_Error already be html escaped?

This isn’t about what html escaping is or how it’s done, but if there’s an established best practice about when to do it.

I have some utility code in my plugin that may generate a WP_Error based on user input, and other display code that shows that WP_Error. Of course that user input needs to be html escaped when displaying, but I’m not sure when would be the best time to do it.

I have a choice about whether to:

Escape the message as I’m constructing the WP_Error, and the display code shows it as-is.

Don’t worry about escaping when constructing the WP_Error, and in the display code fully escape all the WP_Error messages.

Either would work, but if my plugin ends up interacting with other plugins and possibly displaying their WP_Error or vice-versa, I’d like to match whatever precedent exists in the WordPress world.

I had hoped the documentation would address this, but I didn’t see anything on

Read more here:: Should messages in WP_Error already be html escaped?

Leave a Reply

Your email address will not be published. Required fields are marked *