How to properly escape a filtered content variable?

Question

I'm running through the Theme Checker plugin for my Wordpress theme, and I have the following code snippets:

1. Get and show only the first embedded video from the post content:

<?php  $content = apply_filters( 'the_content', $post->post_content );

$embeds = get_media_embedded_in_content( $content );
$first_embedded = $embeds[0];
echo $first_embedded;
  ?>

2. Remove any embedded content from the post content:

   <?php 
     $content = apply_filters( 'the_content', $post->post_content );
     $content = preg_replace("/(<iframe[^<]+<\/iframe>)/", '', $content);
     echo $content;
     ?>

I'm getting this warning in the theme Checker:

WARNING: Found echo $ in the file single.php. Possible data validation issues found. All dynamic data must be correctly escaped for the context where it is rendered.
Line 34: echo $first_embedded;
Line 76: echo $content;

How may I properly escape those variables? I've tried with:

<?php esc_html( $first_embedded); ?>

But it just prints the HTML <iframe>...</iframe> code of my embedded video, like if it was a simple text string.

Same thing if I do it on the $content:

 <?php esc_html( $content); ?>

I'm a beginner. The problem is that I need those 2 variables because the first one shows the video in case the post format is a Video type and replaces the post thumbnail image with the first embedded video.

The second function is needed as well in order not to show that video in the post's content.

Note that we prefer a technical style of writing here. We gently discourage greetings, hope-you-can-helps, thanks, advance thanks, notes of appreciation, regards, kind regards, signatures, please-can-you-helps, chatty material and abbreviated txtspk, pleading, how long you've been stuck, voting advice, meta commentary, etc. Just explain your problem, and show what you've tried, what you expected, and what actually happened. — halfer, May 04 '19 at 08:58

score 4 · Accepted Answer · edited Jun 03 '19 at 21:00

I've found a nice workaround that goes smoothly on Theme Checker and, of course, on the WordPress page as well, which is by using html_entity_decode()

So I've replaced:

echo $first_embedded;

With this line:

echo html_entity_decode( esc_html( $first_embedded ) );

And:

echo $content;

With:

echo html_entity_decode( esc_html($content) );

The html_entity_decode() function converts HTML entities to characters, which is what we need to display the code of the filtered post content and get no errors in the Envato or WP Theme Checker.

How to properly escape a filtered content variable?

1 Answers1