0

I have the following two snippets of code that render the custom code in the header.php and footer.php:

<!-- code before closing head tag -->
<?php echo $x_redux_option['x_code_before_head']; ?>
<!-- code before closing body tag -->
<?php echo $x_code_before_body; ?>

The data is coming from the redux framework dynamically. And the options only accept code wrapped with script tags and HTML markup that is valid inside the <head> tag for header and valid HTML markup for footer.

The fact is that the Mentor Themeforest shows the following errors:

  1. All dynamic data must be correctly escaped for the context where it is rendered. at file header.php, line 39:

  2. All dynamic data must be correctly escaped for the context where it is rendered. at file footer.php, line 44:

How can I escape this data? Will I use the wp_kses() function? But which HTML tags should I allow? How can I know which tags should be allowed?

Please, extend your helping hand as before. :) Thank you so much for taking the trouble to read.

Improve this question

1 Answer 1

Reset to default
1

I'd go with esc_html. Since you are going to echo HTML and scripts, wp_kses would need to allow pretty much all the tags. Your code is gonna look like this:

<!-- code before closing head tag -->
<?php echo esc_html( $x_redux_option['x_code_before_head'] ); ?>
<!-- code before closing body tag -->
<?php echo esc_html( $x_code_before_body ); ?>

I suppose you're familiar with data escaping, however I'll leave a link to official WordPress docs anyway:

https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/

Thanks, Luca

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thank you so much, Luca :) . Yes, I am familiar with data escaping. My concern is that if esc_html() is the best practice for this purpose. Have you ever used this on any themeforest submission? Thanks again for your kind help. (Y)
Yes, I'm using all kinds of escape functions in my themes, depends on the data. For me the esc_html would be the best in this case. FYI - I've dropped support of Redux Framework in favour of standard WordPress tools. As far as I'm concerned, theme submission requirements on official WordPress.org site already require using nothing but pure WordPress. I suppose that in a year or two ThemeForest will have to do the same.
I can't edit my previous comment, sorry. If you find my answer useful, kindly mark it as correct, I would be very greatful :)
Oh! Yes, of course. :) I did decide to mark it as my answer when I found the solution.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.