Sanitize and data validation with apply_filters() function

There’s some confusion here, because not all of these are validation, there are 2 others that are necessary to understand what’s appropriate:

  • validation
  • sanitisation
  • escaping

Sanitisation

Sanitisation makes things clean and well formed

This cleans up the data, e.g. trimming trailing spaces, removing letters in a number field, making an all lowercase field all lowercase, etc

E.g. The user entered " Banana ", so turn it into "Banana"

Sanitisation is the first thing that should happen to input that comes from somewhere else, e.g. when processing a form, sanitise the data before doing anything with it. The same of any data that comes from a remote connection etc

Popular sanitising methods include:

  • stripping out HTML or particular tags via wp_kses wp_strip_all_tags etc
  • Removing ranges of characters, such as non-numeric characters, or punctuation
  • Trimming trailing characters such as spaces etc
  • Applying bounds such as restricting values to within a range ( this could instead be implemented as a validation check )

Validation

Validation checks if things are valid

Validation checks that the phone number the user entered is actually a phone number. It’s a true or false check.

E.g. Is the fruit the user chose actually a fruit?

This should be done on input after sanitising, and if validation fails, abort, popular methods of validation include:

  • functions like is_numeric etc
  • regular expressions, useful for things like phone numbers or URLs, things that have an expected format
  • checking roles and capabilities to verify the user actually has the ability to do the intended action
  • nonce checks
  • whitelists of predefined allowed values
  • checking values sit within valid ranges, e.g. nobody has a 200 character long telephone number, nor would somebody live in house number -2000000

Escaping

Escaping makes values safe for output, and enforces assumptions

Escape late, escape often.

Escaping isn’t talked about much, but imagine it using the fruit example from above. Escaping is like a conveyor belt with a fruit shaped cut out. You always get something fruit shaped at the end. If a fruit passes through, it’s untouched, but if a malicious actor goes through, a mangled but safe fruit shaped version pops out the end.

Escaping is therefore all about enforcing assumptions. E.g. in an <a> tag, the href attribute should contain a URL. But this might not be the case, escaping allows us to swap the “should contain” to a “will always contain”, providing us a guarantee. This prevents somebody starting their URL with "/> and inserting arbitary HTML.

Escaping should always be done on output, at the very latest point possible to ensure nothing was modified. Escaping is also context sensitive. You would use esc_attr to escape HTML attributes, but if it’s a href or src attribute, we would use esc_url to indicate it’s a URL we’re intending to output.

A Note on Double Escaping and wp_kses

You can sanitize and validate multiple times, but you should only escape a value once. This is because double escaping can double encode values, and in some circumstances can allow content to break out of escaping.

wp_kses_post and wp_kses are also unusual in that they can be used to escape, and to sanitise, and can be used multiple times on a value.

A Note on Early Escaping

This is a near mortal sin that can almost undo everything escaping gives you. Once something has been escaped, we know it is safe and secure to output it, but, if we then assign it to a variable, who knows what might happen to it between escaping and output. If that variable gets modified, passed to a function, or piped through a filter, it’s no longer safe, it’s status is a mystery. We can escape it again but now we’ve double escaped, so we might have made safe data dangerous, or mangled good data.

So About Those Filters

Should we sanitize and validate the apply_filters() like the examples below?

It depends on the context

On input:

  • Sanitise
  • then validate
  • if it’s valid then proceed, else reject

On output to the browser/requests/etc:

  • you can sanitise and validate once fetched from the database if you like, but the #1 priority is to escape, escape only once, and do it on the moment of output. Don’t store it in a variable, that’s early escaping and it’s dangerous
  • Escape after filtering, not before, who knows what the filter did to a known safe value, once the value is returned from the filter its safety and status are a mystery
  1. absint( apply_filters( 'slug_excerpt_length', 35 ) );

Great we now know this value is definitely a number, and a positive number too. If we prefix this statement with echo then that’s a safe escaped value. Else it’s just sanitisation that’s cleaned up the value.

  1. wp_kses_post( apply_filters( 'slug_excerpt_more', '&hellip;' ) );

Great, this is both sanitising and escaping if we immediately output it, but if we save it to a variable, it’s just sanitising.

  1. esc_url( apply_filters( 'slug_login_url', home_url( "https://wordpress.stackexchange.com/" ) ) );

This is escaping, and needs an echo statement. If we assign this to a variable then the escaping was for nought and we introduce a precarious situation.

If the question on the other hand is, should we double check the return values of filters? Yes, that would be wise, but overcautious. In that scenario I would expect that this would be testing for filters that aren’t implemented properly, e.g. returning text where a number is expected. In that scenario, validation is the only option, escaping and sanitisation would be inappropriate.

Exceptions

  • When using the_content filter, pass the value through wp_kses_post then pass it into the filter and immediatley echo, e.g. echo apply_filters( 'the_content', wp_kses_post( $dangerous ) );
  • In shortcodes, escape and use output buffers if you must, so that you can return a string

Related Posts:

  1. where to apply “apply filters” and other Sanitization Functions
  2. Post Content, Special Characters and Filters
  3. Contact Form 7: Make field required after checkbox is checked
  4. WooCommerce Custom Product Validation [closed]
  5. Change user nicename without sanitize
  6. Remove comments validation (remove filter?)
  7. how to unescape wordpress output
  8. Filter and validate user role in registration
  9. Sanitizing a custom query’s clauses
  10. how to sanitizing $_POST with the correct way?
  11. Not able to change wp_title using add_filter
  12. What’s the difference between esc_* functions?
  13. At what priority does add_filter overwrite core functions?
  14. How to add icons to post listing (edit.php) in admin
  15. Tiny MCE editor stripping xlink:href parameter from SVG USE tag
  16. Add quick edit fields without custom colum
  17. Prevent 404 when using pre_get_posts to filter an archive page
  18. Hook added to the_content seems to be called multiple times
  19. Is it possible to remove the filter from 4.8 text widget?
  20. Display WooCommerce newest product reviews on top [closed]
  21. Overriding wp_get_archives() apply_filters()
  22. How to remove X-Frame-Options: SAMEORIGIN” from WordPress?
  23. How can I hide all posts that don’t have a thumbnail?
  24. Restrict filter to run only inside specific function
  25. How to add a custom filter in functions.php
  26. Setting title using wp_title filter
  27. 4.0 remove_filter for WordPress core function not working for me
  28. How do I add a current class to the current post?
  29. How apply_filters work in WordPress?
  30. Apply a filter only once
  31. What functions are included in apply_filter(‘the_content’)
  32. option_active_plugins filter not working
  33. How do we check if the user is logging in or registering?
  34. Add a header before fields added with the attachment_fields_to_edit() filter
  35. Are there Limitations on filter handles?
  36. Hide content editor for posts after approriate date
  37. Buddypress: Edit activity when new blog post [closed]
  38. Same Conditionals Not Working on Two Different Hooks
  39. remove_action in plugin file
  40. How to apply filter at search of woocommerce products?
  41. Filter get_template_part() $args array
  42. Modify a Filters Second Parameter
  43. Variables in post title
  44. Filtering post-formats from the loop using new WP-Query();
  45. How to edit dashboard search posts button texts for my CPT?
  46. Insert term when page is published – avoid duplicates after edits
  47. How to add a filter to get_the_author_meta?
  48. When does a function assigned to the content_filtered_edit_pre filter hook fire?
  49. Capture post content before page renders
  50. Empty string supplied as input when parsing content
  51. How can I remove the kses filters when saving a specific post type ? (it breaks my JSON)
  52. Remove_action does not work
  53. How to access plugin variables from theme templates without using globals?
  54. How to pass variables to custom filter from multiple functions
  55. Make WP not format code, not insert line breaks in between tags
  56. add img class to native wordpress galleries
  57. the_content filter together with require_once returns 1 instead of the content of the included file
  58. Missing Argument 2 for apply_filter
  59. How to get a single hook from wp_head()?
  60. WP filter to alter admin CSS styles?
  61. Detect when gutenberg editor title is available in Dom after editor load
  62. How to apply a filter to an ACF wysiwig editor field output?
  63. Why this filter hook is not working when passing parameters?
  64. Is it possible to bind a function to a filter hook via Ajax?
  65. Add a filter to an action [closed]
  66. Change the template when the user is not logged in using page_template filter (it does not work)
  67. Do we need to escape data that we receive from theme options?
  68. Hide Posts In Back-end/Admin Based On User’s (Pseudo) Privileges Controlled by ACF
  69. Filter Pages by Custom Field (ACF) in admin area
  70. Filter posts by meta data using custom query
  71. Remove tags without a specific meta key from “choose from the most used tags”
  72. Which Filter Do I Use To Modify The Subject Of The Retrieve Password Notification Email?
  73. Register users by e-mail
  74. automatic title through filter
  75. Filter causing loss of _wp_attachment_metadata
  76. Buddypress Filter Multiple Activities [closed]
  77. How can I tranlslate post date in italian?
  78. How do I check if I can use the allowed_block_types filter?
  79. Having wp-admin on different domain
  80. Use a functions in functions.php to remove a string for template theme
  81. oembed_dataparse filter not running at all for standard YouTube embed
  82. Action for opening attachment or manipulating all attachment links
  83. Filter wp_mail based on content type
  84. Add filter conditionally to a page
  85. Remove the post_content search from WHERE clause (and CONCAT sql function)
  86. mu-plugins body_class filter not working
  87. Post filter Month dropdown at front-end like wordpress backend
  88. shortcode function outputs multiple anchor tags
  89. WP Dashboard -> Posts-> Filter by Category -> Form Method Change : Which Hook
  90. Show child theme for users on specific IP
  91. Remove action added from class
  92. wp.getPosts with status = ‘trash’ using node.js
  93. Is there a way to overwrite a filter used in canonical.php?
  94. How do I remove certain HTML elements with specific classes from the feed?
  95. Settings api sanatize callback not being triggered
  96. Adding an orderby filter, casting postmeta with multiple keys
  97. confusion with add_filter
  98. post->post_content filter
  99. How to change this WP logo and posts url in block editor?
  100. Limit total tags in the_content

Leave a Comment

error code: 523