I have the following two snippets of code that render the custom code in the header.php and footer.php:
<!-- code before closing head tag -->
<?php echo $x_redux_option['x_code_before_head']; ?>
<!-- code before closing body tag -->
<?php echo $x_code_before_body; ?>
The data is coming from the redux framework dynamically. And the options only accept code wrapped with script tags and HTML markup that is valid inside the <head> tag for header and valid HTML markup for footer.
The fact is that the Mentor Themeforest shows the following errors:
All dynamic data must be correctly escaped for the context where it is rendered. at file header.php, line 39:
All dynamic data must be correctly escaped for the context where it is rendered. at file footer.php, line 44:
How can I escape this data? Will I use the wp_kses() function? But which HTML tags should I allow? How can I know which tags should be allowed?
Please, extend your helping hand as before. :) Thank you so much for taking the trouble to read.
I'd go with esc_html. Since you are going to echo HTML and scripts, wp_kses would need to allow pretty much all the tags. Your code is gonna look like this:
<!-- code before closing head tag -->
<?php echo esc_html( $x_redux_option['x_code_before_head'] ); ?>
<!-- code before closing body tag -->
<?php echo esc_html( $x_code_before_body ); ?>
I suppose you're familiar with data escaping, however I'll leave a link to official WordPress docs anyway:
https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/
Thanks, Luca