Closed tareiking closed 8 years ago
Thanks for this @tareiking! Do you think escaping is necessary in all these cases? Some of the outputted data is not user-based at all or should be safe before already - for example in the CSS part you changed, these values are already integers, so nothing to possibly escape there, or am I missing something?
Hi @felixarntz - I did see they were already cast accordingly, however - best to escape as late as possible (which is as its being output / echo'd) : WordPress Coding Standards would probably enforce those examples.
While it might not be absolutely necessary now, things might change - and at least your bases are covered.
Add late escaping as per : https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data