Where is escaped the shortcode?
Where is escaped the shortcode?
escaping
How to display post meta data in secure manner
Well that depends on how you define secure. I assume your embed code is an iframe which means that you are putting something not under your control (that could in theory always change into something malicious) into your site. This isn’t 100% secure itself. That is why esc_html strips that out. The question you have … Read more
site_url() returns with additional backslashes
site_url() returns with additional backslashes
Escape html structure in php
The answer typically depends on where your translations come from. WordPress core doesn’t usually escape strings such as this, but you may wish to do so in your plugin. A translation might come from an “untrusted” source and could, in theory, contain malicious JavaScript, and escaping would protect you from this. In reality that’s unlikely, … Read more
Escaping WP_Query tax_query when term has special character(s)
I’m not sure if this is a bug, but it need further investigation. I’ve run a few quick tests on the name field in a tax_query, and whenever a term name has got a special character or have more than one word, the tax_query is excluded from the SQL query TEST 1 I have use … Read more
Escaping and sanitization
Escaping and sanitization
Escaping WP_Query tax_query when term has special character(s)
I’m not sure if this is a bug, but it need further investigation. I’ve run a few quick tests on the name field in a tax_query, and whenever a term name has got a special character or have more than one word, the tax_query is excluded from the SQL query TEST 1 I have use … Read more
How to make MySQL search queries with quotes
Woah there. You’ve just opened up a can of SQL injection. I use the default get_query_var(‘s’) that I believe is automatically escaped by wordpress. Not quite – get_search_query() will do that, but get_query_var( ‘s’ ) gets the “raw” value. Regardless, always use wpdb::prepare or similar escaping before executing SQL: $query = $wpdb->prepare( “SELECT * FROM … Read more
Render the metabox input values as HTML
When you want to output trusted html, use html_entity_decode. $orig = “I’ll \”walk\” the <b>dog</b> now”; $a = htmlentities($orig); $b = html_entity_decode($a); echo $a; // I’ll "walk" the <b>dog</b> now echo $b; // I’ll “walk” the <b>dog</b> now You can find more examples here.
Escaping html for meta description
To strip HTML tags and shortcodes, use a combination of PHP’s strip_tags ( http://php.net/manual/en/function.strip-tags.php ) and WordPress’s strip_shortcodes ( https://codex.wordpress.org/Function_Reference/strip_shortcodes ) $meta_des = strip_shortcodes( strip_tag( $des ) );