Given my sparse knowledge and experience on the process of escaping data, I have a hard time determining which functions are escaped and which are not. I try to analyze the "Source" section of functions in the WordPress documentation. I am now aware of escaping functions such as esc_html(), esc_url(), etc. But for instance when studying wp_get_attachment_image() (/), I cannot locate these in the source code (wp-includes/...). I do not know what escaping functions to look for to verify it has been escaped already or not.
I have learned that functions prefixed the_ (the_title, the_content, the_permalink, etc) are already escaped. So therefore I use them mostly when outputing data. In a few cases, though, I use other core functions. For example, for alt attributes belonging to featured images of posts I am using the get_post_meta function: alt="<?php echo esc_html(get_post_meta(get_post_thumbnail_id(), '_wp_attachment_image_alt', true));?>". Evidently I am escaping get_post_meta() with esc_html() here, which outputs alt tag value as expected.
I also need to make sure/confirm that the following echoed function is escaped on output, considering it is not using the prefix the_:
if (has_category()):?>
<?php
$categories = get_the_category();
foreach ($categories as $category):?>
<a class="article-category" href="<?php echo get_category_link($category->term_id);?>">
<?php echo $category->name;?>
</a>
<?php endforeach;?>
<?php endif;?>
Finally, I need to make sure that this one is escaped as well:
<time class="article-time"><?php echo get_the_date();?></time>
EDIT: I escaped this last one by doing: echo esc_html(get_the_date())
Thankful for any thoughts and input.
/dfr