If you want to use the above sanitize_file_name filter, you could try this: function make_filename_hash($filename) { if( isset($_REQUEST[‘post_id’]) ) { $post_id = (int)$_REQUEST[‘post_id’]; }else{ $post_id=0; } $info = pathinfo($filename); $ext = empty($info[‘extension’]) ? ” : ‘.’ . $info[‘extension’]; $name = basename($filename, $ext); if($post_id>0){ return $post_id.”_”.$name . $ext; }else{ return $name . $ext; } } add_filter(‘sanitize_file_name’, … Read more
I am not sure if this helpful or not. As s_ha_dum said, you should post how you are processing the submitted data and sending to db. But for starters, you might look at escaping the outputted data in the form: <input style=”width:100%” type=”text” name=”dataHow to sanitize user input?” id=”title” value=”<?php $title = get_option(‘data_test’); echo esc_attr($title[‘title’]); … Read more
What you’re asking for is impossible, there is no such thing as a safe javascript entry box. Even if we strip out extra script and style tags, it’s pointless, as the javascript code itself is inherently dangerous, and can create any elements it wants using DOM construction, e.g.: var s = jQuery( ‘script’, { ‘src’: … Read more
Yes, WordPress will sanitise data on its way to the database, so long as you use the APIs. If you’re using the wpdb object however you’ll need to use the prepare method to sanitise. I recommend against writing SQL queries as it bypasses object caches etc, but if you must write your own SQL, use … Read more
You’re not getting the TESTING because your playlist argument should actually be in the args array like so: (reindented for brevity) register_rest_route( SoundSystem::$rest_namespace, ‘/playlist/new’, array( ‘methods’ => WP_REST_Server::CREATABLE, ‘callback’ => array( __class__, ‘rest_add_playlist’ ), ‘permission_callback’ => function () { return is_user_logged_in(); }, ‘args’ => array( ‘playlist’ => array( ‘description’ => __( ‘JSPF playlist data’, ‘soundsystem’ … Read more
Sanitization and escaping is always heavily context-dependent and I’m not an expert in this field, anyway I did some ‘research’ myself recently so I’ll try to supply you with some general guidelines until someone with more insight will come and offer the ultimate in-depth answer (which I’ll be eager to read too.) Codex article on … Read more
In the articles case, $title is an arbitrary value, as such it should be escaped via html, but, if it was gotten from a WordPress core function it is probably safe, but you should check anyway For example, get_the_title() can contain html markup and is not escaped by default. Eitherway post and page titles should … Read more
Now I have familiarized myself with the above principles via the documentation and I think I have understood them now I don’t know which documentation you read, but you should check the Plugin Security section in the plugin developer’s handbook. And there are three main issues I noticed in your code: Before attempting to use … Read more
For updating and saving use add_action( ‘edit_term’, ‘save_termmeta_tag’ );
Since WordPress 4.7 there is sanitize_textarea_field(). Which does exactly as you want, from the Codex. Sanitizes a multiline string from user input or from the database.