How do you escape these two examples?
wc_price() wraps the already escaped $product_price in p and span tags with currency symbol.
$product_price = $product->get_price();
<p><?php echo wc_price( esc_html( $product_price ) ); ?></p>
The next one outputs the complete image with all attributes: src, srcset, alt, etc.
$product_img = $product->get_image();
<?php echo $product_img; ?>
2 Answers
For the first example, a lot of people will use wp_kses_post to handle basic HTML output from wrapper functions. It’s a shortcut for some basic attributes and tags using wp_kses. You could use this function where you specify allowed tags and attributes that can pass through for the second example.