From the Codex entry for Data Validation: URLs: esc_url( $url, (array) $protocols = null ) (since 2.8) Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, … Read more
There’s some confusion here, because not all of these are validation, there are 2 others that are necessary to understand what’s appropriate: validation sanitisation escaping Sanitisation Sanitisation makes things clean and well formed This cleans up the data, e.g. trimming trailing spaces, removing letters in a number field, making an all lowercase field all lowercase, … Read more
Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer Here is an example of how this could be used: // Now do what you want with your clean SVG/XML data function your_save_meta( $post_id, $post, $update ) { // – Update the post’s metadata. if ( … Read more
It would appear that out of the box, there isn’t a difference function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); /** * Filters a string cleaned and escaped for output in HTML. * * Text passed to esc_html() is stripped of invalid or special characters * before … Read more
stripslashes(wp_filter_post_kses(addslashes($_POST[‘sidebar_code’]))); but you should know that the kses filter is not 100% safe.
We have to look a bit deeper here to get an answer to your question. So, bloginfo is a simple wrapper around get_bloginfo. <?php function bloginfo( $show=” ) { echo get_bloginfo( $show, ‘display’ ); } Notice the second argument display. Let’s see what that does. <?php function get_bloginfo( $show = ”, $filter=”raw” ) { // … Read more
That’s question is only relevant, because WordPress use a mix from a coding language and layout language. If you would use a template language, syntax, than is this topic not relevant. But to your question. If you use your example source for a Theme, much more layout language like html, then I prefer the first … Read more
The general rule, at least as espoused by Mark Jaquith, is sanitize on input, escape on output (the corollary to this rule being sanitize early, escape late). So: use sanitization filters (such as the kses() family) when storing untrusted data in the database, and use escaping filters (i.e. the esc_*() family) when outputting untrusted data … Read more
Escaping depends entirely on the context in which you are using the functions. What is safe for displaying inside <h1> tags, is not necessarily safe to display for the value attribute of an input field, and even that wouldn’t necessarily be safe as a href attribute value…. In short – perform the sanitisation yourself as … Read more
esc_html() escapes a string so that it is not parsed as HTML. Characters like < are converted to <, for example. This will look the same to the reader, but it means that if the value being output is <script> then it won’t be interpreted by the browser as an actual script tag. Use this … Read more