This isn’t about what html escaping is or how it’s done, but if there’s an established best practice about when to do it.
I have some utility code in my plugin that may generate a WP_Error based on user input, and other display code that shows that WP_Error. Of course that user input needs to be html escaped when displaying, but I’m not sure when would be the best time to do it.
I have a choice about whether to:
Escape the message as I’m constructing the WP_Error, and the display code shows it as-is.
Don’t worry about escaping when constructing the WP_Error, and in the display code fully escape all the WP_Error messages.
Either would work, but if my plugin ends up interacting with other plugins and possibly displaying their WP_Error or vice-versa, I’d like to match whatever precedent exists in the WordPress world.
I had hoped the documentation would address this, but I didn’t see anything on https://codex.wordpress.org/Class_Reference/WP_Error
Read more here:: Should messages in WP_Error already be html escaped?