Add get_the_ID() & remove post_class() from the safe list

[grappler]

Fixes #746

[jrfnl]

I'm happy to add get_the_ID(). We know it will always be a numeric value or false, so using that in an echo should be fine.

Not so sure about the get_post_class() function.
First of all, the function returns an array and shouldn't be echo-ed as is (not without a join/explode or something).
Second of all, the function has a filter just before the array is returned and could therefore be used for evil.
Considering that, I believe the post_class() function should actually be removed from the safe functions list until escaping of the array values is added to the function in core.
(The escaping in core is done before the filter, so it would just be a case of changing the code order)

Refs:
https://developer.wordpress.org/reference/functions/get_the_id/
https://developer.wordpress.org/reference/functions/the_id/
https://developer.wordpress.org/reference/functions/get_post_class/
https://developer.wordpress.org/reference/functions/post_class/

[jrfnl]

Related:
https://core.trac.wordpress.org/ticket/29259
https://core.trac.wordpress.org/ticket/20009 (discussed and closed without fixing it for fear of breaking funky plugin implementations)

[JDGrimes]

I second the concerns that @jrfnl has raised in regard to get_post_class(). Of course, even esc_html() et al. apply filters after escaping the value. But in that case, anything hooked to the filter knows that the value is already escaped. It is entirely possible that folks could hook into the post class filter and not realize that escaping is needed on their part.

[grappler]

I have update the PR and changed the title to match the code.