I think I have figured out the problem, though I have yet to solve it. I am running the shortcode in a WP Types custom WYSIWYG field. The shortcode works perfectly everywhere else, including directly in my theme files and in the native WordPress content WYSIWYG, so it seems it is a bug in WP … Read more
Ok, so there is one major problem with your code and it has nothing to do with escaping LIKE statements in SQL. But let me start from that… There is nothing wrong with your escaping. You should do it exactly like that: global $wpdb; // Create a SQL statement with placeholders for the string input. … Read more
tl;dr Should I serialize the data? No, it will be done for you as long as everything is serializable. Should I sanitize/escape the data? Partially. The data will be escaped automatically for you to prevent SQL injection attacks, but you should sanitize and validate it to assure data consistency. Explanation If there’s no object cache … Read more
WordPress has a baked in solution: esc_html__( string $text, string $domain = ‘default’ ) You can use that to replace __() and __x() but the second one looks for contextual translations where you specify the context for the string being translated. The codex for it is right here: https://developer.wordpress.org/reference/functions/esc_html__/
After thinking about this a little bit, I guess that the proper way to ensure that your comments are properly escaped, is by doing something like this: $the_comment = get_comment_text(); echo ‘<p>’ . esc_html($the_comment) . ‘</p>’; Instead of simply using the function like this: comment_text(); Why even have these handy functions in the first place, … Read more
Perhaps because the entity is a non-UTF8 character? Here’s what esc_html() does: function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( ‘esc_html’, $safe_text, $text ); } If not that, then it’s getting sanitized when filtered by _wp_specialchars(), which does double-encoding(by default,no) and all sorts of things. … Read more
The Codex description of these two functions: wp_specialchars: Converts a number of special characters into their HTML entities. Specifically deals with: &, <, >, “, and ‘. wp_specialchars_decode: Converts a number of HTML entities into their special characters. According to http://codex.wordpress.org/Function_Reference/wp_specialchars This function is deprecated as of WordPress 2.8.0. Please use esc_html instead. You don’t … Read more
Allowing user to control code is explicitly unsafe operation. As you note the purpose of sanitization is pretty much to not let user slip in anything executable and/or with malicious intent. To “sanitize” executable code you would need programmatic understanding of it (code parser) and criteria engine to distinguish what is safe and what is … Read more
Consider something like the following: echo esc_html( sprintf( _nx( ‘%1$s Comment on “%2$s”’, ‘%1$s Comments on “%2$s”’, $comment_count, ‘Comments Title’, ‘theme-text-domain’ ), number_format_i18n( $comment_count ), get_the_title() ) ); Where you build the entire string with sprintf and escape that. The coding standards are clear that you should always escape output, and do so as late … Read more
Just finished now the sanitize callback for RGBA colors.and tested in my theme and working perfect, and its taking RGBA values please find the code function awstheme_sanitize_rgba( $color ) { if ( empty( $color ) || is_array( $color ) ) return ‘rgba(0,0,0,0)’; // If string does not start with ‘rgba’, then treat as hex // … Read more