security – why escape if the_content is not?

Integrated function the contents crosses several filters, but does not escape the output. It would be difficult to do because HTML and even some scripts must be allowed.

At the time of the release, the_content seems to be going through these filters (from version 5.0):

add_filter (& # 39; the_content, & # 39; do_blocks & # 39 ;, 9);
add_filter (& # 39; the_content & # 39;; & # 39; wptexturize & # 39;);
add_filter (& # 39; the_content & # 39 ;, & quot; convert_smilies & # 39 ;, 20);
add_filter (& # 39; the_content & # 39;; & # 39; wpautop & # 39;);
add_filter (& # 39; the_content & # 39 ;, shortcode_unautop & # 39;);
add_filter (& # 39; the_content & # 39 ;, & quot; prepend_attachment & # 39;);
add_filter (& # 39; the_content & # 39;; & # 39; wp_make_content_images_responsive & # 39;);

(and)

add_filter (& # 39; the_content & # 39; capital_P_dangit & # 39;);
add_filter (& # 39; the_content & # 39 ;, & # 39; do_shortcode & # 39;);

It is also a simple chain that replaces:

$ content = str_replace (& # 39;

]> & # 39;,

]& gt; & # 39 ;, $ content);

And then get_the_content performs a little treatment related to the link "plus" and a bug with foreign languages.

None of these prevent the injection of XSS script, is not it?

When backing up, the data is sanitized by wp_kses_post. But since this is an expensive process, I understand why it is not used in the output.

The basic rule for escaping WordPress is that everything must be escaped, regardless of disinfection input and as late as possible. I have read several articles on this subject because the database should not be considered as a reliable source.

But for the reasons above, the content does not follow that. Central themes (for example, twenty-nine years old) do not add an extra breakaway.

So … why does it help something to escape elsewhere? If I were a hacker with access to the database, could not I just add my code to the content of a message?