Allowing user to control code is explicitly unsafe operation. As you note the purpose of sanitization is pretty much to not let user slip in anything executable and/or with malicious intent. To “sanitize” executable code you would need programmatic understanding of it (code parser) and criteria engine to distinguish what is safe and what is … Read more
Consider something like the following: echo esc_html( sprintf( _nx( ‘%1$s Comment on “%2$s”’, ‘%1$s Comments on “%2$s”’, $comment_count, ‘Comments Title’, ‘theme-text-domain’ ), number_format_i18n( $comment_count ), get_the_title() ) ); Where you build the entire string with sprintf and escape that. The coding standards are clear that you should always escape output, and do so as late … Read more
Just finished now the sanitize callback for RGBA colors.and tested in my theme and working perfect, and its taking RGBA values please find the code function awstheme_sanitize_rgba( $color ) { if ( empty( $color ) || is_array( $color ) ) return ‘rgba(0,0,0,0)’; // If string does not start with ‘rgba’, then treat as hex // … Read more
The _e() function displays a translated string; so 1) You’re actually echoing a dynamic text; and 2) Yes, you should escape a translated string. Relevant excerpt taken from the internationalization security guide in the Plugin Handbook: Escape Internationalized Strings You can’t trust that a translator will only add benign text to their localization; if they … Read more
I’m pretty sure you have to explicitly name all allowed attributes – just use: $allowedposttags[‘iframe’] = array ( ‘align’ => true, ‘frameborder’ => true, ‘height’ => true, ‘width’ => true, ‘sandbox’ => true, ‘seamless’ => true, ‘scrolling’ => true, ‘srcdoc’ => true, ‘src’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true, ‘border’ … Read more
Look at the source of the_content(): function the_content($more_link_text = null, $stripteaser = false) { $content = get_the_content($more_link_text, $stripteaser); $content = apply_filters(‘the_content’, $content); $content = str_replace(‘]]>’, ‘]]>’, $content); echo $content; } As you can see, there is no filter to prevent that. If you really need inline JavaScript in an XML document you have to escape … Read more
Nope, you don’t need to escape hard-coded URLs.
I’m assuming $settings is an assigned variable elsewhere in your code? If so, then ya gotta globalise it son (variable scope in PHP): function outputFavIcon() { global $settings; ?> And spell it right too 😉 <?php if ( isset ( $settings[‘generel_settings’ /* <- typo? */][‘fav_icon’] ) ) {
Is it really need to escape translatable strings? Yes. If a string is translatable then that means its value can be changed from an external source. This means it’s not safe. and how shall i do that? See the documentation on how to escape with WordPress. When it comes to translatable strings, there are two … Read more
If I’m allowed to answer my own question here: I found a way to stop the conversion of my html entities back to characters by using <?php esc_textarea( $text ) ?>, as detailed by the codex here: http://codex.wordpress.org/Function_Reference/esc_textarea. Not sure if this is the right way of doing it, but its working. My (snipped) metabox … Read more