Sanitization of register_setting()

You can use sanitize_text_field exactly as you are. From the function’s documentation: Checks for invalid UTF-8, Converts single < characters to entities Strips all tags Removes line breaks, tabs, and extra whitespace Strips percent-encoded characters sanitize_text_field() is already defined as a function in WordPress, so you don’t need to change anything. The sanitize_callback parameter takes … Read more

Does it make sense to sanitize the output of an SVG file?

It’s not completely pointless, but probably smart to sanitize, because of the following situations: What’s the certainty that the SVGs only come from you directly? Can you guarantee that the SVGs won’t be intercepted during upload? Redundancies for keeping your site secure are generally recommended. I don’t know that wp_kses() is the best for sanitizing … Read more

how to sanitizing $_POST with the correct way?

Instead of looping through the array, use this: map_deep( $form_data, ‘sanitize_text_field’ ); (see the User Notes in the function doc: https://developer.wordpress.org/reference/functions/sanitize_text_field/ ) The docs state that Checks for invalid UTF-8, Converts single < characters to entities Strips all tags Removes line breaks, tabs, and extra whitespace Strips percent-encoded characters So you could also use the … Read more

Properly sanitize an input field “Name “

You could do something like this: $input=”Name <[email protected]>”; // Break the input into parts preg_match( ‘/([^<]+)<([^>]+)>/i’, $input, $matches, PREG_UNMATCHED_AS_NULL ); // Clean the name $name = sanitize_text_field( $matches[ 1 ] ); // Clean the email $email = sanitize_email( $matches[ 2 ] ); // Bail early if the values are invalid. if ( !$name || !$email … Read more

esc_url, esc_url_raw or sanitize_url?

This might be a more useful demonstration: <a href=”<?php echo esc_url( $url ); ?>>I’m printing a URL to the frontend</a> $url = sanitize_url( $_GET[‘user_inputted_data’] ); update_post_meta( $post_id, ‘that_url’, $url ); esc_url is an escaping function, sanitize_url is a sanitising function. Sanitising functions clean incoming data, e.g. removing letters from phone numbers, stripping trailing space etc. … Read more