WordPress escape values


I try to understand the esc_ options to make sure outputted content is safe and prevent XSS attacks on my website. I know things like get_permalink should be esc_ (source). But I’m not sure about variables which I use in the foreach function like $user_lesson->post_title. Should I use esc_html here, simply because I get it from the database?

$user_lessons = learndash_get_lesson_list( $user_course );

    foreach($user_lessons as $user_lesson) {
        if(learndash_is_lesson_complete($user_id, $user_lesson->ID) == true){
            echo '<li class="c-light-grey ch-orange cursor-pointer"><a href="' . esc_url( get_permalink( $user_lesson->ID ) ) . '" class="c-inherit ch-inherit"><span class="fa fa-check-circle fm-fa-regular margin-right-1"></span>' . $user_lesson->post_title . '</a></li>';
        } else {

And is it necessary to use double esc_, like:
esc_url( get_permalink( esc_html( $user_lesson->ID ) ) ) Someone told me never trust dynamical data. But an ID is always saved as an ID, right? Is less esc_ better in cases like this or should I esc_ all the dynamic data from the database?

Tetragrammaton 4 months 0 Answers 17 views 0

Leave an answer