WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

Heredoc Output Not Escaped

A value reaches browser output without clear escaping for the final HTML context.

critical weight

Why It Shows Up

The scan found output where WordPress Coding Standards could not see `esc_html()`, `esc_attr()`, `esc_url()`, `wp_kses()`, or another context-appropriate escaping function.

Why It Matters

When dynamic data is printed raw, any user-controlled part of that data can become cross-site scripting.

How to Fix

  • Use `esc_html()` for text nodes, `esc_attr()` for attributes, and `esc_url()` for URLs.
  • Use `wp_kses()` when limited HTML is allowed.
  • Escape late, right before output, so the escaping function matches the final context.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
No results.