In this simple snippet, isn’t it necessary to sanitize the get_field before using it?
<?php
if ( get_field( 'phone' ) {
$phone = format_phone_number( get_field( 'phone' ) );
?>
<p class="coworker__phone"><?php echo esc_html( $phone ); ?></p>
<?php
}
I mean, is it necessary to write like this:
<?php
if ( sanitize_text_field( get_field( 'phone' ) ) {
$phone = format_phone_number( sanitize_text_field( get_field( 'phone' ) ) );
?>
<p class="coworker__phone"><?php echo esc_html( $phone ); ?></p>
<?php
}
I thought, since the field is used before rendered, is it possible for malicious code to enter if the sanitize_text_field() is not used before using the data in the IF-condition and the formation function?
If you are worried about what is in the field then yes.