Title: Properly escaping theme function
Last modified: September 20, 2017

---

# Properly escaping theme function

 *  Resolved [Yan](https://wordpress.org/support/users/yan0ri/)
 * (@yan0ri)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/properly-escaping-theme-function/)
 * Original code:
    [https://pastebin.com/mDy1r6UW](https://pastebin.com/mDy1r6UW)
 * Escaped code:
    [https://pastebin.com/S2j1NDnx](https://pastebin.com/S2j1NDnx)
 * So I’m trying to use the code snippet linked above in my theme. I just want to
   make sure I’ve escaped correctly. Please suggest any edits that might be required.
 * It is finally called in the header like this:
 * `<?php if ( function_exists( 'the_breadcrumb' ) ) the_breadcrumb(); ?>`
 * I have refereed the codex regarding this, but I just want to make sure I’m not
   under / over escaping. Any help is greatly appreciated.
    -  This topic was modified 8 years, 7 months ago by [Yan](https://wordpress.org/support/users/yan0ri/).
      Reason: used pastebin

Viewing 6 replies - 1 through 6 (of 6 total)

 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/properly-escaping-theme-function/#post-9515525)
 * You don’t need to escape values that do not come from your DB or user input. 
   For example, the return of `get_the_time('Y')` does not need to be escaped before
   output. The value is generated internally from the server’s time clock, there’s
   no opportunity for the value to become corrupted by bad actors. You can be sure
   the returned value will be nothing but a few digits.
 * When in doubt, go ahead and escape. Other than taking a bit more processing, 
   it never hurts. Failing to escape when you should can be very bad for your visitors.
 *  Thread Starter [Yan](https://wordpress.org/support/users/yan0ri/)
 * (@yan0ri)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/properly-escaping-theme-function/#post-9515689)
 * [@bcworkz](https://wordpress.org/support/users/bcworkz/) Thank you. I have updated
   it: [https://pastebin.com/ikd9Kpqx](https://pastebin.com/ikd9Kpqx)
 * I tried escaping `echo $cats;`, but it just messes up the category section in
   the breadcrumb. It no longer stays a link.
 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/properly-escaping-theme-function/#post-9518390)
 * The URLs inside of the get_category_parents() return are [escaped internally](https://core.trac.wordpress.org/browser/tags/4.8/src/wp-includes/category-template.php?marks=1328#L1290).(
   the linked function is called by get_category_parents()) There’s no easy way 
   to know when WP functions escape for you and which returns you still need to 
   escape. Obviously the “when in doubt escape rule” is flawed. Saying it never 
   hurts to escape was wrong of me. Going through and ensuring your otherwise working
   code is secure and can safely handle all situations and input is a significant
   part of coding.
 *  Thread Starter [Yan](https://wordpress.org/support/users/yan0ri/)
 * (@yan0ri)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/properly-escaping-theme-function/#post-9518468)
 * Thank you for the input [@bcworkz](https://wordpress.org/support/users/bcworkz/)
 * Is there a list of functions that’s escaped by WordPress or we’ll need to cross
   reference the functions we use with the source code to verify?
 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/properly-escaping-theme-function/#post-9521453)
 * Such a list would be awesome! Unfortunately, I’ve never seen such a list. Functions
   that output content will have escaped data. Returned data that is formatted for
   output (i.e. HTML) is _probably_ escaped. Anything else probably needs to be 
   escaped.
 * If you should encounter such a list, let us know 🙂
 *  Thread Starter [Yan](https://wordpress.org/support/users/yan0ri/)
 * (@yan0ri)
 * [8 years, 7 months ago](https://wordpress.org/support/topic/properly-escaping-theme-function/#post-9521816)
 * [@bcworkz](https://wordpress.org/support/users/bcworkz/) Thank you. That’s all
   regrading this issue. i’m marking this solved.
 * Thanks again for your time 🙂

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Properly escaping theme function’ is closed to new replies.

## Tags

 * [escaping](https://wordpress.org/support/topic-tag/escaping/)
 * [theme development](https://wordpress.org/support/topic-tag/theme-development/)

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 6 replies
 * 2 participants
 * Last reply from: [Yan](https://wordpress.org/support/users/yan0ri/)
 * Last activity: [8 years, 7 months ago](https://wordpress.org/support/topic/properly-escaping-theme-function/#post-9521816)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics