Yep, you can escape it as normal HTML, like so: <?php echo esc_html( $email ); ?> For the mailto link, you can use esc_url. Just make sure you include mailto: into the URL, e.g.: <a href=”<?php echo esc_url( ‘mailto:’ . $email ); ?>”> So a fully escaped mail link would look like this: <a href=”<?php … Read more
This is the official answer from the WordPress Plugin Review Team: PHP runs processes one at a time. If step 1 is “Validate” and step 2 is save, then between step 1 and 2 is where a MITM happens. Now. You may be thinking “But come on, nothing could possibly happen there! That’s too fast!” … Read more
Thanks to @GTsvetanov from Stackoverflow.com. Missing part of my code is $request->get_json_params(); for getting json request then compare it with schema using rest_validate_value_from_schema() then using rest_sanitize_value_from_schema() for saving proper data to database. $schema = $this->user_playtime_meta_schema(); $val = $request->get_json_params();//<– my mistake $result = rest_validate_value_from_schema( $values, $schema ); if ( ! is_wp_error( rest_validate_value_from_schema( $val, $schema ) ) … Read more
so if i have a function that gets terms from the database ( not the user ) do I need to use prepare first ( before get_results() ), or some sort of data sanitizing? Yes, but you should be using get_terms/WP_Term_Query/wp_get_object_terms/etc and the other term APIs instead as they’re safer and can be much faster. … Read more
Without reading the question, just from the title, the answer is YES. Any input from the outside world should be validated and sanitized where appropriate, and this include inpude the server recieves the fact that it might have been generated in a form you designed is irrelevant. Input should never be trusted. Now about internal … Read more
Given that you are dealing with email, I’d run wp_kses() with a very limited $allowed_html array similar to this sample from the Codex: array( ‘a’ => array( ‘href’ => array(), ‘title’ => array() ), ‘br’ => array(), ’em’ => array(), ‘strong’ => array(), ); HTML rendering is even more squirrelly in email readers than browsers … Read more
Inputs need to be validated/sanitized before making any execution flow decision based on it. Actually a +100 to the reviewer that caught it (or whoever wrote the automated tool) as I would have missed it. Sanitization is something that needs context. Just because function A does a sanitization in the context of storing an displaying … Read more
Assuming $from_page is a string value and not an array or object, sanitize_key() should do the trick, it allows only a-z0-9_- and I believe is used for permalink. $cookiename = sanitize_key( ‘unrestrict_’.$from_page ); setcookie( cookiename, 1 … there’s a whole bunch of wordpress sanitizing functions, reference available in the docs.
If you take a look to the wp_sanitize_redirect() function you will notice it is removing the new lines from the destination URL: https://core.trac.wordpress.org/browser/tags/4.9/src/wp-includes/pluggable.php#L1249 In my opinion you have 2 options: 1 – Convert new lines on the message to a diff allowed unique char combination and then replace them back to new lines before outputting … Read more
If I take the value sanitize_callback out of the argument array completely, everything works as desired, so error-free. Yes, and that’s because you used the wrong callable syntax which then causes PHP to use a global function named sanitize_options instead of the method/function of the same name in your class (i.e. Faqdesk_Settings::sanitize_options()). So to solve … Read more