I have this code:
the_content( sprintf(
__( 'Continue reading %s', 'twentyfifteen' ),
the_title( '<span class="screen-reader-text">', '</span>', false )
) );
How to escape the code above for security issue? I have been using the code below to fix issues:
<?php echo esc_html(get_the_title()) ; ?>
From the WP Codex:
It's important to note that most WordPress functions properly prepare the data for output, and you don't need to escape again.
So for this function you don't have to escape the_title() again because this function does it already by itself.
For all other Escaping/Sanitizing needs, look here.
the_title(), the_excerpt() and the_content() are not escaped (the_content() does a little string replacing) and this can cause security issues for example when an editor has installed malicious browser extensions.
The correct approach is to wrap the get_* versions of these functions into esc_html_e() (which runs esc_html(), translates through the text domain, and echo's the result), so in your case:
<?php esc_html_e(get_the_content($more_link_text, $strip_teaser)); ?>