All text entered into the database is, in essence, “user entered”. If the site gets hacked a hacker could change every instance of the field “title” to contain javascript, for example. If you just echo out the field then you’re writing the javascript to the page and thus injecting the code into the page.
Therefore, you should consider everything that comes from the database to be potentially hackable and use the appropriate esc_
function before writing it out.
Related Posts:
- How to store username and password to API in wordpress option DB?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- Nonces can be reused multiple times? Bug / Security issue?
- Can someone explain what wp_session_tokens are, and what are they used for?
- WordPress and PHP Sessions – Security and Performance
- What is the difference between esc_html and wp_filter_nohtml_kses?
- Nonce in settings API with tabbed navigation
- Log in from one wordpress website to another wordpress website
- Escaping built-in WP function return strings
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- WP Cron doesn’t save or in post body
- WordPress restrict plugin file direct access
- Plugin development: is adding empty index.php files necessary?
- Confusion on WP Nonce usage in my Plugin
- Coding a plugin on WordPress; when should I sanitize? [duplicate]
- Correct way check nonce (security) using old Options API
- Why do I need to check if wp_nonce_field() exists before using it
- Is there any way to check for user login and send him to login?
- WordPress security issue to output data from user input from theme option form
- Verify if user is wordpress logged in from another app since wordpress 4.0
- Secure Pages Best Practice
- Securing/Escaping Output of file content – reading via fread() in PHP
- best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
- Video Security just like facebook [closed]
- Is disabling test_form in wp_handle_upload a security concern?
- How to connect my wordpress plugin to a remote database securely?
- wp_nonce_field displaying twice
- Is it necessary to do validation again when retrieving data from database?
- Checking a WordPress for OWASP top 10 vulnerabilities [closed]
- How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
- add_submenu_page hooked function must explicitly check user capabilities – why?
- Are there any security risks when submitting data-attribute data through AJAX?
- Why would you use esc_attr() on internal functions?
- Is it possible to use WP-CLI in a plugin (or theme)?
- Secruity Questions on a timer
- Using HTML links within translatable string
- How can I save a password securely as a settings field
- Using password protection to load different page elements?
- HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
- How to store sensitive user data (passwords)
- How do I make secure API calls from my WordPress plugin?
- how to add security questions on wp-registration page and validate it
- Experts opinions needed: How (in)secure is this approach?
- What is more secure checking capabilities of user or checking role of user in WordPress plugin development
- Data Validation, dynamically generated fields (select for example)
- esc_url, esc_url_raw or sanitize_url?
- How to debug a plugin with Xdebug?
- Is there widely accepted phpDoc syntax for documenting which hook calls a function?
- How to iterate through custom posts and add the title to an array
- How to Structure a New Role/Capability Scheme?
- How to create Image gallery Metabox in wordpress [closed]
- Is it possible to create an action hook using do_action() within add_action()?
- WordPress 2.8 Widget API is suitable for Worpress 3.1.4 plugins development?
- Need specific kind of “Poll Voting” for WordPress [closed]
- Install widget on plugin activation
- Plugin admin page meta_box toggle and order state not saving
- Is there a better way to implement responsive images than what WordPress uses by default?
- Prevent Javascript Facebook SDK Conflicts in plugin
- Integrating Stripe PHP library into a custom WordPress Plugin
- Use WP_Theme::scandir function to scan a plugin directory. Is there a way?
- Plugin options not being saved or created
- Change the ‘published on’ text?
- How to get boolean value from register_meta properly?
- Gravity Forms Perks – Nested Forms
- Remove custom post type slug from URL and add taxonomy Slug
- How do I get the sub categories of the parent when in a sub category?
- custom permalink’s rewrite rule for page id
- How can I identify it as admin page or not?
- AJAX form post returns 0
- Update custom plugin with WP-CLI
- Autogenerate a Table of Contents
- Update wordpress Core Remotely
- Proper way to use useSelect
- Access to apache logs from plugin
- Two different wordpress sites – same server and IP address. Gaining Access to database 1 of 2
- Translating plugin settings page – dropdown list
- Hide one specific woocoomerce product
- settings api – add_settings_section not working
- Remove Meta-boxes (Yoast SEO plugin) [duplicate]
- Can I use a custom post type as a custom taxonomy for a different custom post type?
- wp_schedule_single_event is set correctly but sometimes not fired
- Attaching Image-file to userId
- wp.media gallery collection sometimes undefined
- Pass Values in URL on WooCommerce Product Page
- Can’t load a script in my plugin page
- Plugin Install Issue “-1” Appended to end of plugin name
- $ is not defined [duplicate]
- How to affect front page by plugin
- problem with blank page
- Use custom clean URLs for a plug in
- Cannot echo a JS variable to a jQuery plugin coming from wp_localize_script
- Select options not reloading after form submit
- Plugin SVN folder structure
- Checking if the query is empty does not work
- Remove default wordpress roles
- What is the meta_query key name for the woo product average rating? [closed]
- how to catch a data from a array in WordPress
- Why my admin-ajax url returns 0 even after adding echo and die() at the end of function?
- External api call using wordpress