WordPress.Security.EscapeOutput.HeredocOutputNotEscaped
Heredoc Output Not Escaped
A value reaches browser output without clear escaping for the final HTML context.
Why It Shows Up
The scan found output where WordPress Coding Standards could not see `esc_html()`, `esc_attr()`, `esc_url()`, `wp_kses()`, or another context-appropriate escaping function.
Why It Matters
When dynamic data is printed raw, any user-controlled part of that data can become cross-site scripting.
How to Fix
- Use `esc_html()` for text nodes, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` when limited HTML is allowed.
- Escape late, right before output, so the escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #51 | wpDirAuth | 32 | 250 | 135 | 500 | wp function not compatible with requires wp | ||
| #52 | IP2Location Redirection | 33 | 198 | 122 | 7k+ | Output is not escaped | ||
| #53 | Save as PDF Plugin by PDFCrowd | 33 | 299 | 254 | 1k+ | Non-prefixed global variable | ||
| #54 | EasyIndex | 34 | 74 | 135 | 1k+ | Missing nonce verification | ||
| #55 | Ultimate 410 Gone Status Code | 34 | 136 | 65 | 7k+ | Output is not escaped | ||
| #56 | ACF: Image Hotspots Field | 35 | 26 | 5 | 2k+ | Text Domain Mismatch | ||
| #57 | Core Framework | 35 | 70 | 62 | 10k+ | Text Domain Mismatch | ||
| #58 | Easy Noindex And Nofollow | 35 | 55 | 18 | 400 | Output is not escaped | ||
| #59 | AI Popup Builder & Popup Maker by OptiMonk | 35 | 81 | 65 | 4k+ | Text Domain Mismatch | ||
| #60 | Post Password Token | 35 | 132 | 38 | 600 | Text Domain Mismatch | ||
| #61 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #62 | ColorMeShop WordPress Plugin | 36 | 392 | 37 | 600 | Exception output is not escaped | ||
| #63 | Ozh' Admin Drop Down Menu | 36 | 125 | 43 | 3k+ | Output is not escaped | ||
| #64 | Out of Stock Message Manager for WooCommerce | 36 | 293 | 95 | 2k+ | Text Domain Mismatch | ||
| #65 | Easy Photo Album | 37 | 360 | 43 | 1k+ | Text Domain Mismatch | ||
| #66 | Get Custom Field Values | 37 | 40 | 44 | 1k+ | Output is not escaped | ||
| #67 | Monobank WP Payment | 37 | 78 | 41 | 1k+ | Text Domain Mismatch | ||
| #68 | Ozh' Better Feed | 38 | 45 | 35 | 600 | Heredoc Output Not Escaped | ||
| #69 | Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform | 38 | 120 | 107 | 500 | Output is not escaped | ||
| #70 | Slickstream: Engagement and Conversions | 38 | 100 | 19 | 2k+ | Output is not escaped | ||
| #71 | White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard | 38 | 205 | 31 | 10k+ | Output is not escaped | ||
| #72 | Genesis Dambuster | 39 | 94 | 67 | 3k+ | Output is not escaped | ||
| #73 | Allow Multiple Accounts | 40 | 115 | 19 | 9k+ | Non Singular String Literal Domain | ||
| #74 | Dashify: WooCommerce admin dashboard theme | 40 | 16 | 131 | 900 | Nonce verification recommended | ||
| #75 | Text Hover | 41 | 44 | 13 | 1k+ | Output is not escaped | ||
| #76 | Text Replace | 41 | 55 | 12 | 3k+ | Output is not escaped | ||
| #77 | LINE Auto Post | 45 | 19 | 11 | 500 | Heredoc Output Not Escaped | ||
| #78 | KCSG Kartra Pages | 47 | 30 | 16 | 500 | Heredoc Output Not Escaped | ||
| #79 | Navigation menu as Dropdown Widget | 48 | 49 | 1 | 2k+ | Output is not escaped | ||
| #80 | TrustedSite | 50 | 29 | 14 | 20k+ | Output is not escaped | ||
| #81 | Tiny gtag.js Analytics | 51 | 39 | 0 | 400 | Output is not escaped | ||
| #82 | Enhanced Category Pages | 55 | 23 | 25 | 2k+ | Direct Query | ||
| #83 | Chat Button & Custom ChatGPT-Powered Bot by GetButton.io | 58 | 26 | 8 | 20k+ | Non-prefixed function | ||
| #84 | Product Subtitle For WooCommerce | 72 | 6 | 36 | 3k+ | Non-prefixed namespace | ||
| #85 | Dash Notifier | 73 | 12 | 6 | 20k+ | Heredoc Output Not Escaped | ||
| #86 | Colored Admin Post List | 75 | 8 | 0 | 500 | Heredoc Output Not Escaped |