WordPress doesn’t provide any specific data validation functions for SUPERGLOBALS.
I use the PHP filter_input function then escape it as I would any untrusted variable.
$url = filter_input( INPUT_GET, 'some_query_string', FILTER_VALIDATE_URL );
echo '<a href="'. esc_url( $url ). '">Click Me</a>';
The PHP filter input accepts:
Related Posts:
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- What is the difference between esc_html and wp_filter_nohtml_kses?
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- Coding a plugin on WordPress; when should I sanitize? [duplicate]
- Prevent invalid or empty values from being saved to the database and retain the form field values upon error
- Is it necessary to do validation again when retrieving data from database?
- how to add security questions on wp-registration page and validate it
- oneOf two possible objects in WP REST API?
- esc_url, esc_url_raw or sanitize_url?
- How to store username and password to API in wordpress option DB?
- How to validate custom fields in custom post type?
- How should one implement add_settings_error on custom menu pages?
- Nonces can be reused multiple times? Bug / Security issue?
- is_email() VS sanitize_email()
- Can someone explain what wp_session_tokens are, and what are they used for?
- WordPress and PHP Sessions – Security and Performance
- Nonce in settings API with tabbed navigation
- Log in from one wordpress website to another wordpress website
- Escaping built-in WP function return strings
- WP Cron doesn’t save or in post body
- stray elements
- WordPress restrict plugin file direct access
- Plugin development: is adding empty index.php files necessary?
- Confusion on WP Nonce usage in my Plugin
- array_map() for sanitizing $_POST
- Correct way check nonce (security) using old Options API
- Verify Nonce returns false – Request Nonce returns correct value
- Why do I need to check if wp_nonce_field() exists before using it
- vs WordPress Security
- Who is responsible for data sanitization in WordPress development?
- Is there any way to check for user login and send him to login?
- WordPress security issue to output data from user input from theme option form
- How to sanitize user input?
- How do i validate data entered in a meta box so that only floats can be entered in a field?
- Verify if user is wordpress logged in from another app since wordpress 4.0
- WP_Editor – Saving Value into Plugin Option – Stripping HTML
- Secure Pages Best Practice
- Multiple options pages validation for a plugin
- Securing/Escaping Output of file content – reading via fread() in PHP
- best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
- Video Security just like facebook [closed]
- Is disabling test_form in wp_handle_upload a security concern?
- How to connect my wordpress plugin to a remote database securely?
- wp_nonce_field displaying twice
- wordpress is adding a second backslash when I use addslashes
- Checking a WordPress for OWASP top 10 vulnerabilities [closed]
- How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
- add_submenu_page hooked function must explicitly check user capabilities – why?
- Are there any security risks when submitting data-attribute data through AJAX?
- Why would you use esc_attr() on internal functions?
- Is it possible to use WP-CLI in a plugin (or theme)?
- Secruity Questions on a timer
- How WordPress sanitizes post content on save? Or it doesn’t?
- Using HTML links within translatable string
- How can I save a password securely as a settings field
- How to validate inputs with filter in register_setting callback
- Using password protection to load different page elements?
- HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
- How do I add a 5 digit ZIP code validation to a Contact7 form?
- $ is not defined [duplicate]
- How to store sensitive user data (passwords)
- Sanitize WordPress Array Input?
- How do I make secure API calls from my WordPress plugin?
- esc_attr() on hard coded string
- do I need to sanitize a shortcode’s function input?
- Experts opinions needed: How (in)secure is this approach?
- Array/List Edit in Backend
- What is more secure checking capabilities of user or checking role of user in WordPress plugin development
- Data Validation, dynamically generated fields (select for example)
- Sanitize and Save metabox values
- how to sanitizing $_POST with the correct way?
- Send user activation email when programmatically creating user
- Creating Settings Page with dropdowns for Plugin
- Custom Nav Menu items default to ‘menu-item-type’ => ‘custom’. How to make a “page” menu item?
- How to get the post content after WordPress post processing?
- Global State During an Admin Post
- Display custom fields in frontside user profile
- Meta box on options page save form problem
- Where to use nonce
- Simulating timeout is not working
- How to develop a wordpress plugin for front-end user?
- Issue with iframe in TinyMCE
- Find Any Theme’s page.php File
- WP Job Manager – Show recent jobs as cards
- oneOf JSON Schema validation not properly working for custom post meta value?
- How will i add an option under customizer the event calendar section?
- Return custom product in ajax call loop
- Is there a canonical way for a plugin to install a mu-plugin or drop-in?
- How can create a custom plugin to call my webapi after any registration or membership plugin functionality
- Admin Menu for New Post
- Elementor Top-Bar
- Is it possible to add Custom Dashboard Widgets to Custom Admin Menu Page?
- Is using upgrader_process_complete the correct way to perform plugin updates?
- Load images from CDN and custom features to “Add Media” dialogue
- Saving metabox updates causing fatal error
- Calling get_header() with installed FSE theme
- Reinitiate Gutenburg’s blocks using javascript
- Generating Multiple Divi Pages from Database
- Is it smart to require_once wp-admin/includes/plugin.php when you need only one function from it
- multiple record insert creating many duplicate records