plugins – Do you want to add HTML code to messages in WP_Error?


It's not about what html escaping is or how it's done, but if there's a best practice on when to do it.

I have a program code in my plugin that can generate one WP_Error based on user input and other display codes that indicate this WP_Error, Of course, this user input must be html-protected on display, but I'm not sure when would be the best time to do so.

I have the choice, if I:

  • Escape the message while I'm building WP_Errorand the display code shows it as it is.

  • Do not worry about escaping while building the WP_Errorand completely avoid it in the display code WP_Error Messages.

Either would work, but if my plugin interacts with other plugins and may display them WP_Error or vice versa, I would like to agree with the precedent existing in the WordPress world.

I had hoped that the documentation would address this, but I have not seen anything at https://codex.wordpress.org/class_reference/WP_Error