This excellent article on WordPress VIP might be of interest:
Validating, Sanitizing, and Escaping
In particular, they go into detail as to why it’s important to “late escape” everything:
The Importance of Escaping All The Things
Their advice?
If it’s not escaped on output, it’s potentially exploitable. Never underestimate the abilities of an attacker – they’re experts at finding the way to make the ‘this should never, ever, be possible‘ things happen :). For maximum security, we must escape all the things.