WordPress.Security.EscapeOutput.HeredocOutputNotEscaped
Heredoc Output Not Escaped
A value reaches browser output without clear escaping for the final HTML context.
Why It Shows Up
The scan found output where WordPress Coding Standards could not see `esc_html()`, `esc_attr()`, `esc_url()`, `wp_kses()`, or another context-appropriate escaping function.
Why It Matters
When dynamic data is printed raw, any user-controlled part of that data can become cross-site scripting.
How to Fix
- Use `esc_html()` for text nodes, `esc_attr()` for attributes, and `esc_url()` for URLs.
- Use `wp_kses()` when limited HTML is allowed.
- Escape late, right before output, so the escaping function matches the final context.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| No results. | ||||||||