我在高级主题/插件中看到了很多这样的内容。

#1 - Why would you escape this? It\'s your own data. For consistency?

function prefix_a() {
    $class_attr = \'a b c\';

    // Some more code.

    return \'<div class="\' . esc_attr( $class_attr ) . \'">Content</div>\';
}

// Called somewhere.
prefix_a();

#2 - Again, why? The data doesn\'t come from the DB.

function prefix_b( $class ) {
    // Some code.

    return \'<div class="\' . esc_attr( $class ) . \'">Content</div>\';
}

// Called by a developer from the team.
prefix_b( \'developer adds a class\' );

是的，子主题开发人员可以调用上面的函数，但他/她已经控制了。

#3 - Why? If someone can add filters, it can do a lot more.

function prefix_c() {
    $class_attr = apply_filters( \'prefix_c\', \'foo bar\' );

    // Some code.

    return \'<div class="\' . esc_attr( $class_attr ) . \'">Content</div>\';
}

// Called somewhere.
prefix_c();

如果有人使用不受信任的数据（不包括#1案例），我只能考虑一致性和安全性。