I had look at the code but I couldnt see any escaping on funcions like
the_excerptetc. I might not be reading it right. Do I need to escape these functions in theme development like:
esc_html ( the_title () )
Edit: as pointed out in the answers below the above code is wrong regardless – the code should have read
esc_html ( get_the_title () )
Escaping depends entirely on the context in which you are using the functions. What is safe for displaying inside
<h1> tags, is not necessarily safe to display for the
value attribute of an input field, and even that wouldn’t necessarily be safe as a
href attribute value….
In short – perform the sanitisation yourself as you output it. Though in the case of
the_title () or
esc_html is not necessary, since WordPress applies the following functions:
the_title prints the title – so
esc_html ( the_title () ) won’t work. Similarly,
the_content prints the content (in any case, you’d expect the content to display HTML).