Escaping and Late Escaping

[tomjn]

I'm seeing a lot of cases where output is being collected in variables e.g. $html then printed out later down the code, and there is no escaping being added.

Instead, print immediatley and escape at the moment of output.

E.g.

?>
<a href="<?php echo esc_url( $url ); ?>"><?php echo esc_html( $link_text ); ?></a>
<?php

esc_url guarantees that you safely print out a URL, even if $url contains a malicious javascript snippet, it forces the result to be URL shaped. Using a temporary variable to batch up markup then printing it out later on allows you to miss escaping, or worse still double escape. It also means that the browser can't do anything with that markup until you send it, so no progressive rendering occurs.

[rhavin]

Yes, I was missing some escapement, added it.
Ho should a browser do anything with the php-code? The server does this.

[tomjn]

Not the PHP code but the resulting HTML that it generates. As an example plugins such as Autoptimise start an output buffer then collect the entire pages output into a variable so that it can then perform optimisations that get you good pagespeed scores. But those optimisations are meant to let the browser do rendering when it's only recieved half the page because the server/PHP is still working, something that can't happen if you bundle it up at the server and send it all at once at the very end. This is why you get people asking why their TTFB is terrible.