Escaping

WordPress theme code is where a lot of XSS bugs quietly survive for years. I’ve seen the same pattern over and over: the plugin gets blamed, the CMS gets blamed, but the actual issue lives in a theme template that prints user-controlled data with zero escaping. Theme developers often focus on layout, custom fields, menus, search forms, AJAX helpers, and admin options. Security ends up as an afterthought. The awkward part is that WordPress already gives you solid escaping and sanitization APIs. Most theme XSS bugs happen because developers either skip them or use the wrong one in the wrong context. ...

Cross-site scripting in PHP usually happens because someone escaped the wrong thing, in the wrong place, at the wrong time. I’ve seen teams add htmlspecialchars() everywhere and still ship XSS. Not because the function is bad, but because XSS prevention is context-sensitive. A value that is safe in HTML text is not automatically safe in an attribute, a JavaScript string, or a URL. If you remember one rule, make it this one: ...