In Which Contexts are Plugins Responsible for Data Validation/Sanitization?

There are two concepts here:

  • validation – making sure data is valid, i.e. an integer is an integer, a date is a date (in the right format etc). This should be done just before saving the data.
  • sanitisation – making the date safe for its use in the current context (e.g. escaping SQL queries, or escaping HTML on output).

Validation is, almost universally, solely down to you. You know what data you are asking from a user, and you know what data you are expecting – WordPress doesn’t. Validation would be performed, for example, on the save_post hook before saving it to the database with update_post_meta, or it might be done through specifying a callback function in the Settings API, called just before WordPress saves the data.

Sanitisation is a bit more mixed. When dealing with data that WordPress natively knows about (e.g. a post’s tile) you can be sure that WordPress has already made the data safe. However ‘safe’ depends on context; what is safe for use on a page, is not necessarily safe as an element attribute. Hence WordPress will have different functions for different context (e.g the_title(), the_title_rss(), the_title_attribute()) – so you need to use the right one.

For the most part your plug-in might deal with post meta – or maybe event data from a custom table. WordPress doesn’t know what this data is or what it is for, so it certainly doesn’t know how to make it safe. This is up to you. This is particularly important in using esc_url(), esc_attr(), esc_textarea() etc to prevent malicious input from being able to embed code. Since WordPress knows next_posts() is suppose to print an url to the page, it applies esc_url() – but with post meta, say, it doesn’t know that it stores an url – or what you want to do with it (if printing, esc_url(), if redirecting esc_url_raw(). If in dobut – err on the side of caution and escape it yourself – and do this as late as possible.

Finally – what about saving data? Do you need to make it safe then? As mentioned you do need to make sure data is valid. But if using WordPress API (wp_insert_post(),update_post_meta() etc) then you don’t need to sanitise the data – because when saving data the only sanitising you need to be doing is to escape SQL statements – and WordPress does this. If you are running direct SQL statements (say to read/write data from a custom table) then you should use the $wpdb class to help you sanitise your queries.

I wrote this blog post on data sanitisation and validation which you might find helpful – in it I talk about what’s expected of you in this respect.

Related Posts:

  1. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  2. What is the difference between esc_html and wp_filter_nohtml_kses?
  3. What is the difference between strip_tags and wp_filter_nohtml_kses?
  4. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  5. Who is responsible for data sanitization in WordPress development?
  6. Prevent invalid or empty values from being saved to the database and retain the form field values upon error
  7. Is it necessary to do validation again when retrieving data from database?
  8. how to add security questions on wp-registration page and validate it
  9. oneOf two possible objects in WP REST API?
  10. esc_url, esc_url_raw or sanitize_url?
  11. Objective Best Practices for Plugin Development? [closed]
  12. How do i best handle custom plugin page actions?
  13. How to create an API for my plugin?
  14. Plugins in symlinked directories?
  15. Plugin Form Submission Best Practice
  16. Best way to abort plugin in case of insufficient PHP version?
  17. What do you think about custom designed plugin/theme options UIs?
  18. Where to put third party PHP library?
  19. Optimize shortcode callbacks
  20. How to integrate a PHP webmail script into the backend of WordPress?
  21. Is There A Hook To Process The Content Of The Text Widget?
  22. How to log plugin errors to plugin error_log file
  23. Which to use to execute code during the saving of a plugin settings page?
  24. Custom theme sufficient or custom plugin neccessary for this feature set?
  25. When to check if a function exists
  26. How to create custom home page via plugin?
  27. stray elements
  28. Adding callback function for wp_ajax_ has no effect
  29. Sessions not creating correctly in custom function
  30. Featured Image not showing in admin
  31. Plugin development: is adding empty index.php files necessary?
  32. Nuance in adding CPT and TAX to a submenu
  33. Can I differentiate between “Delete Post Permanently” and “Empty Trash” and do something for each accordingly?
  34. Why do I need to check if wp_nonce_field() exists before using it
  35. vs WordPress Security
  36. How to sanitize user input?
  37. How to deal with equal & similar arguments for a function?
  38. Disable The Events Calendar plugin from loading its scripts
  39. Applying OO patterns and principles to plugin development
  40. WordPress is automatically linking plain text email addresses
  41. Is Using WordPress Supplied WYSIWYG Advisable?
  42. Is it possible to change a term slug before being saved to the database?
  43. Maximum lifetime for nonce
  44. Verify if user is wordpress logged in from another app since wordpress 4.0
  45. Custom Taxonomy to dropdown box on adminside wordpress
  46. Create a free scripts and styles template within a plugin
  47. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  48. Secure Pages Best Practice
  49. How to modify the comments to be displayed in a post?
  50. How can I turn a custom wordpress page into a product page?
  51. Incorporate small angular feature in my wordpress site
  52. How to Bind one post object Type with other postobject Type in Advanced Custom field [closed]
  53. Video Security just like facebook [closed]
  54. Unable to sanitize in customizer and escape in theme without removing ability for user to use “< br >” to insert a line break
  55. Is disabling test_form in wp_handle_upload a security concern?
  56. How to connect my wordpress plugin to a remote database securely?
  57. wp_nonce_field displaying twice
  58. How should I go about registering JavaScript that isn’t a file? [duplicate]
  59. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  60. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  61. Show message from backend
  62. Are there any security risks when submitting data-attribute data through AJAX?
  63. Why in this archive page that call query_posts() function show only the last 10 posts?
  64. Why would you use esc_attr() on internal functions?
  65. Is it possible to use WP-CLI in a plugin (or theme)?
  66. Secruity Questions on a timer
  67. How WordPress sanitizes post content on save? Or it doesn’t?
  68. Using HTML links within translatable string
  69. Converting core modification to a plugin
  70. How to replace settings in WordPress plugin from a theme
  71. How to remove/replace current page template?
  72. How to validate inputs with filter in register_setting callback
  73. Using password protection to load different page elements?
  74. How to determine which capability to use?
  75. Serial Number from custom table not appear in woocommerce_email_before_order_table action
  76. How to create a custom post-new.php page for plugin , no wp menu
  77. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  78. How do I add a 5 digit ZIP code validation to a Contact7 form?
  79. Want to know how to reveal a WordPress theme, considering the theme name is hidden?
  80. $ is not defined [duplicate]
  81. How to store sensitive user data (passwords)
  82. Save meta box data from selected dropdown list in bbpress reply form
  83. Sanitize WordPress Array Input?
  84. do I need to sanitize a shortcode’s function input?
  85. Create Customization panel for Plugins not for theme
  86. external Integration with wordpress timeout error
  87. Making adding info to an overlay bio easy for average user?
  88. Implementing Select2 plugin into WordPress
  89. Array/List Edit in Backend
  90. Managing Custom Designed Content
  91. Can I access WordPress API’s from within plugin scripts?
  92. Link to a admin submenu item using a custom link
  93. Change the search results header from plugin
  94. Client Profiles
  95. Developing Themes on WordPress, Looking for Excellent Tutorials [closed]
  96. Extend WP_List_Table class – Edit wp_usermeta – WPPB.me Boilerplate – Action error
  97. How can I properly sanitize the update_option in WordPress?
  98. Sanitize and Save metabox values
  99. Is there any other ways to replicating changes on live from staging without pushing from git
  100. how to sanitizing $_POST with the correct way?

Leave a Comment