I am finishing a project with a very picky agency, they have a code sniffer via composer and you must correct all the "errors", so they want escaping before any echo.
And i have a widget area : echo ( beans_widget_area( 'mobile_offcanvas_menu' ) ); the system wants an escape function, i tried several, and they make fail the widget....
I don't know what to do, as their system is automated, and they do continuous integration that fails if you don't correct all the "errors".
If built properly, you have control over the widgets output which should already be are correctly escaped and it is therefore safe to output it. If this is the case for your website and you are 100% in control of the widgets, you may add a trailing comment
// WPCS XSS ok. to tell the code sniffer that it is a safe output. For example, your line we look like:
echo beans_widget_area( 'example_widget_area' ); // WPCS XSS ok.
Otherwise, if you may escape the entire widget area using
wp_kses_post() as such:
echo wp_kses_post( beans_widget_area( 'example_widget_area' ) );
Depending on the widgets, the post allowed HTML might remove crucial HTML from the widgets. If this is the case, you may rather use
wp_kses() and define the HTML tags allowed according to your need. Let me know if this is the case and I will write a quick example.
It's the mobile menu widget inside the widget, wp_kses_post, was making the submenu openned by default !
So i add this // WPCS XSS ok. and it seems to works !
I am going to ask for a course to Tonya, you're right, so much to know with all this functions.