PHP Coding Standards, Widgets and Sanitization

These arguments contain arbitrary HTML and cannot be properly escaped. This is essentially a limitation on how Widgets code was designed and you can see in core Widget classes that no escaping is done on these.

Lessons to learn:

  • WP core doesn’t consistently adhere to its own coding standards (and getting there isn’t considered worth targeted effort);
  • passing around chunks of HTML is bad idea, in your own code pass data and render appropriately with proper escaping.

Related Posts:

  1. Limit number of Widgets in Sidebars
  2. How to load Widget javascript + css files only if used?
  3. check if registered sidebar is active & has widget content
  4. Adding iframe Content to Sidebar Widget
  5. How to use wp_dequeue_style() for style enqueued in WP_Widget class
  6. Storing custom dashboard widget options in wordpress
  7. link wordpress and stackoverflow
  8. Widget with random posts from a blog for external sites
  9. Remove rss widget title link
  10. Sidebar Widget Registration without a name, how is it assigned to new named sidebar widget?
  11. How to use stack flair on my site?
  12. Trigger Submit Event when Widget is added to Sidebar
  13. Ask user permission when activating a plugin
  14. List sidebars on a page
  15. How to enable / use new video / audio / images widgets in WordPress 4.8?
  16. How do i export the HTML from text widgets?
  17. Searching for a better Twitter widget
  18. Latest/Recent posts widget title link
  19. the_widget() and widget’s ID
  20. How to put Stack Exchange Flair as widget?
  21. How do i display the built-in gallery inside a widget?
  22. Forcing the title of a text widget on to a new line in the admin area
  23. Image Upload Widget Issue
  24. Wp Customizer event for when a new widget has been added
  25. Sidebar not show customizer!
  26. Display single widget
  27. Customizing wordpress default widgets?
  28. different class (css) for sidebar widgets
  29. How to make this change without changing the core? [duplicate]
  30. Add pagination to listing plugin
  31. how to put functions inside of widgets
  32. Adding a Widget : what to put in plugin URL
  33. How to list all custom post types in a custom widget?
  34. How to extend WP_Widget_Media
  35. Drafts widget for admin page
  36. Global $wpdb is not showing correct data with function call
  37. Dynamic created widget id value of multi-instance in jQuery
  38. Text widget doesn’t save the content
  39. Post ID displayed instead of title [closed]
  40. Color picker in widget appears twice when added via the Customizer
  41. Hide widget (and white space) on specific resolution [closed]
  42. Adding Widgets to Draft Pages
  43. How to select multiple media files for a widget form?
  44. How do I pass the id of my widget to javascript in the form function?
  45. Widget – link to page rather than absolute url
  46. Programmatically add widgets to sidebars
  47. Are widgets meant to be used outside of sidebars?
  48. Is there a WordPress widget for my webpage?
  49. Validating widget’s configuration data on Admin page
  50. FTP Widget Location
  51. Turn off “This is the Primary Sidebar Widget Area” message
  52. Inserting Read More Tag in Widget
  53. dynamic sidebar in front page
  54. Display posts from category in post content?
  55. display widget checkbox selection on frontend
  56. Enabled checkbox by default in WordPress widgets
  57. Widgets in WP 4.3 disappearing – How to fix?
  58. Making jQuery .change() event persistent after widget save
  59. Widget background images missing on second blog excerpt page
  60. How should I add a “widget” like element?
  61. modifying title (in dashboard) for different widget instances
  62. How to translate Widget Description in constructor?
  63. Removing side bar widgets from GovPress theme
  64. What conditional to use for dynamic sidebar check?
  65. How to test if the widgetized area has any widgets?
  66. Saving widget gets an undefined variable
  67. Trouble accessing a multidimensional array to add classes to default WordPress widgets
  68. Distinguish between different widgets of the same type
  69. links to Media Library content in sidebar per page
  70. Why is registering a sidebar for each page causing my sidebars to reset?
  71. How do I customize the positioning of WordPress widgets?
  72. widgets in footer?
  73. Quick Draft widget in weird place on dashboard after being re-added
  74. How can I remove WordPress element IDs and Class names in the HTML?
  75. Remove widgets on mobile front page without affecting desktop
  76. Widget display nothing
  77. How can I have sidebar widgets on Twenty Seventeen theme on all pages?
  78. Collapsible widgets [closed]
  79. Loop through Widgets in sidebar using widget array number?
  80. Widget settings disappear after refresh
  81. How to display author meta in a sidebar widget
  82. Is it ok not to set widget in the main page of a one page WordPress Theme?
  83. How to get widget content in WordPress based on it’s ID?
  84. Recent Posts Widget URL / Domain change
  85. New Custom Widget Call a Different Widget Function
  86. Loading scripts only if a particular shortcode or widget is present
  87. Always show the widget title in a wordpress widget
  88. Custom php Widget keeps disappearing from the front end
  89. Insert to wp_footer if widget is found in the sidebar
  90. Using javascript on the new widget preview / customizer page
  91. Conditionally enable autoplay when using oEmbed in a custom widget
  92. Show or hide custom menu widget in side bar conditionally
  93. Custom tabs widget don’t work in google chrome, is blocked, do not change the tabs. Why?
  94. WordPress Hide Widget If $_Session Is Active?
  95. Widget which displays thumbnails, but links to urls?
  96. Recent posts with different class name for each post and a scrollbar?
  97. Problem on register/login widgets
  98. Classic widgets with 5.9+?
  99. Theme Widget Area Defaults
  100. How to add the “page” post type to Recent Activity widget displayed in admin?

Leave a Comment