Is it necessary to sanitize wp_set_password user input?
No, there is no need to sanitize passwords. You don’t want to strip out or rewrite a value on users’ set passwords. They will be hashed afterwards, so no need
sanitization
Which escape function to use when escaping an email or plain text?
Yep, you can escape it as normal HTML, like so: <?php echo esc_html( $email ); ?> For the mailto link, you can use esc_url. Just make sure you include mailto: into the URL, e.g.: <a href=”<?php echo esc_url( ‘mailto:’ . $email ); ?>”> So a fully escaped mail link would look like this: <a href=”<?php … Read more
MITM risk of not sanitizing?
This is the official answer from the WordPress Plugin Review Team: PHP runs processes one at a time. If step 1 is “Validate” and step 2 is save, then between step 1 and 2 is where a MITM happens. Now. You may be thinking “But come on, nothing could possibly happen there! That’s too fast!” … Read more
What is the proper way to validate and sanitize JSON response from REST API?
Thanks to @GTsvetanov from Stackoverflow.com. Missing part of my code is $request->get_json_params(); for getting json request then compare it with schema using rest_validate_value_from_schema() then using rest_sanitize_value_from_schema() for saving proper data to database. $schema = $this->user_playtime_meta_schema(); $val = $request->get_json_params();//<– my mistake $result = rest_validate_value_from_schema( $values, $schema ); if ( ! is_wp_error( rest_validate_value_from_schema( $val, $schema ) ) … Read more
wpdb get_results() and prepare when to use prepare?
so if i have a function that gets terms from the database ( not the user ) do I need to use prepare first ( before get_results() ), or some sort of data sanitizing? Yes, but you should be using get_terms/WP_Term_Query/wp_get_object_terms/etc and the other term APIs instead as they’re safer and can be much faster. … Read more
Do We Need to Validate, Sanitize, or Filter Simple Numerical Superglobals (Cookies and Post)?
Without reading the question, just from the title, the answer is YES. Any input from the outside world should be validated and sanitized where appropriate, and this include inpude the server recieves the fact that it might have been generated in a form you designed is irrelevant. Input should never be trusted. Now about internal … Read more
Storing HTML in wp_options
Given that you are dealing with email, I’d run wp_kses() with a very limited $allowed_html array similar to this sample from the Codex: array( ‘a’ => array( ‘href’ => array(), ‘title’ => array() ), ‘br’ => array(), ’em’ => array(), ‘strong’ => array(), ); HTML rendering is even more squirrelly in email readers than browsers … Read more
Best Practice for Validating and Sanitizing Data
Inputs need to be validated/sanitized before making any execution flow decision based on it. Actually a +100 to the reviewer that caught it (or whoever wrote the automated tool) as I would have missed it. Sanitization is something that needs context. Just because function A does a sanitization in the context of storing an displaying … Read more
How to sanitize my cookie name
Assuming $from_page is a string value and not an array or object, sanitize_key() should do the trick, it allows only a-z0-9_- and I believe is used for permalink. $cookiename = sanitize_key( ‘unrestrict_’.$from_page ); setcookie( cookiename, 1 … there’s a whole bunch of wordpress sanitizing functions, reference available in the docs.
Why does wp_redirect strip out %0A (url encoded new line character) and how do I make it stop?
If you take a look to the wp_sanitize_redirect() function you will notice it is removing the new lines from the destination URL: https://core.trac.wordpress.org/browser/tags/4.9/src/wp-includes/pluggable.php#L1249 In my opinion you have 2 options: 1 – Convert new lines on the message to a diff allowed unique char combination and then replace them back to new lines before outputting … Read more