Do we need to escape data that we receive from theme options?

I’m creating a WordPress theme that I’m hoping to sell on Themeforest. Now I know much about escaping user inputted data using functions like esc_html, esc_url and so on and I use them in the comments template and few other places in my theme. What I’m not sure about is whether I’m suppose to use these functions on the data that I get from the database that the user inputs using the theme options or not. As it is still user inputted data, except that it goes through the database, before we echo it out.

I’m using the Redux Framework to create the theme options for my theme, and I have all the settings in a global variable:


And to sum up my confusion, if I want to show the logo image, do I do it like this:

img src="<?php echo $mytheme_options["logo_url"]; ?>" />

Or Like this:

img src="<?php echo esc_url($mytheme_options["logo_url"]); ?>" />

I’ve search around for this but didn’t find any article that discusses about what to do about the user-inputted data that comes from the database. I’ve also looked into the code of other themes and they don’t seem to escape it. But I’m not sure how they insert options in the database, which I think would somehow determine whether to escape that data or not.

Solutions Collecting From Web of "Do we need to escape data that we receive from theme options?"

YES. You always escape output that originally comes from user submitted data.

To be safe, you always escape variable output, period.

Yes you should escape. the DB is supposed to hold the raw value therefor you should assume it needs to be escaped.

Do you need to escape every little thing like in your example? I don’t, but maybe you should not do as I do 😉 Some things are safer to assume that the user will not input some random keystrokes, but there is always that one user that will perform submit after a cat walked on his keyboard.

Yes, You should but not always.
Like whenever you are not sure that a user might enter some html stuff like a hyperlink and you don’t want that, then you should escape it.

As codex says : Always use when escaping HTML attributes.

Codex: esc_attr WordPress Codex

Sanitize and validate before committing any data into your database, that is the most important precaution. That would ensure that you get “clean” data from your database. Escaping data on display would be less of a concern as a result but still an added level of security and highly recommended. Trust nothing and no one, it only takes a single specially placed character to ruin your whole installation and open your site to vulnerabilities.