Try using sanitize_text_field instead of esc_html wp> $search_query = “Dalton’s Law <br/>”; string(18) “Dalton’s Law <br/>” wp> $query = apply_filters( ‘get_search_query’, $search_query ); string(18) “Dalton’s Law <br/>” wp> $esc_html = esc_html( $query ); string(29) “Dalton's Law <br/>” wp> $sanitized = sanitize_text_field( $query ); string(12) “Dalton’s Law” esc_html should be used to escape output before it … Read more
Running the output through escaping function should be just fine. You can either use wp_kses_post(), which by default allows the same html attributes that you would use in the post content (see in codex): echo wp_kses_post( wp_get_attachment_image( $image_id ) ); or if you want to be more precise and strict, you can pass an array … Read more
I face this issue quite often on my own site where I publish code tutorials. Unfortunately, there isn’t a good solution. Instead, I recommend this workflow: Use the WYSIWYG editor to build your article content leaving placeholders for your code snippets. Switch to the HTML editor to add your code snippets The visual editor (TinyMCE) … Read more
I am not sure if this helpful or not. As s_ha_dum said, you should post how you are processing the submitted data and sending to db. But for starters, you might look at escaping the outputted data in the form: <input style=”width:100%” type=”text” name=”dataHow to sanitize user input?” id=”title” value=”<?php $title = get_option(‘data_test’); echo esc_attr($title[‘title’]); … Read more
WordPress always escapes quotes encountered in the super globals variables. It is done in https://developer.wordpress.org/reference/functions/wp_magic_quotes/ You will most likely want to strip it with stripslashes before saving it into the DB. something like update_option( ‘tld_wcdpue_settings_email_content’, wp_kses_post( stripslashes($_POST[‘tld_wcdpue_settings_wpeditor’] ) ));
No, you don’t need to escape hardcoded values. As I understand it, if the URL doesn’t have an input via admin, it should be okay. Not necessarily. There’s many more potential sources of potentially malicious (or just accidentally broken) output that need to be accounted for, such as: Translations. Query strings ($_GET) Cookies. WordPress filters. … Read more
In fact to be super pedantic, I think the correct code is actually: echo ‘<option value=”‘ . esc_attr( $folder ) . ‘”>’ . esc_html( $folder ) . ‘</option>’; Since the first variable is an attribute, and the second is encased in html, although I wold bet that the code you have would pass review, and … Read more
Sanitization and escaping is always heavily context-dependent and I’m not an expert in this field, anyway I did some ‘research’ myself recently so I’ll try to supply you with some general guidelines until someone with more insight will come and offer the ultimate in-depth answer (which I’ll be eager to read too.) Codex article on … Read more
You escape on output, what I suspect here is a confusion between escaping sanitizing and validating Sanitise when data arrives. This strips out stuff that shouldn’t be there, e.g. upper case letters in a lower case string, words and letters in a phone number, trailing spaces etc. Sanitising cleans data common sanitising functions include trim, … Read more
Now I have familiarized myself with the above principles via the documentation and I think I have understood them now I don’t know which documentation you read, but you should check the Plugin Security section in the plugin developer’s handbook. And there are three main issues I noticed in your code: Before attempting to use … Read more