WordPress VIP guideline says Always Escape Late.
My argument is if we use a string 10 times in a template why do we need to escape it every time we echo it? Process time ++?
Here is their argument
1. “late escaping” makes VIP reviewers more efficient, which means customer code is reviewed and deployed faster,
2. a consistent practice of “late escaping” makes missed escaping obvious, thereby reducing the chances that unescaped output makes it into production,
3. a consistently applied escaping standard- and we’ve chosen “late escaping” as ours- allows automated tools to better augment our human reviewers…further improving on #1 and #2 above.
Here is how I interpreted it.
- Indirectly they say it can help them speed up things. Automated tools like phpcs can easily find if a string is escaped or not while echoing. Faster code review because of automated tools.
- If you make mistake still it is going to escape it while being displayed.
- Automated tools.
But in general it is a good practice and recommended to escape everything.
We can trust translation string which is hard-coded but can we trust pot file that is generated for another language?
I think that too we can if we going to commit it in our plugin or theme.
Yes, still they need to be escaped.
Still trying to figure out why we need to.
“Escaping isn’t only about protecting from bad guys. It’s just making our software durable. Against random bad input, against malicious input, or against bad weather.”
Rule of thumb “Escape all output” & “Never trust user input”
Never underestimate the power of attackers.
But late escaping is not “the one true way” to achieve security but one of the way.
As my favorite character Bilbo say, “I’m ready for my next adventure!”