sanitization - Read For Learn

why is esc_html() returning nothing given a string containing a high-bit character?

Perhaps because the entity is a non-UTF8 character? Here’s what esc_html() does: function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( ‘esc_html’, $safe_text, $text ); } If not that, then it’s getting sanitized when filtered by _wp_specialchars(), which does double-encoding(by default,no) and all sorts of things. … Read more

Sanitizing search data for use with WP_Query

Looking on line 1857 of WP_Query’s code, it seems as though sanitization is done for you, so just run with whatever search term is put in. Current version of wordpress is 3.3, in case the code changes down the line.

I’m confused about URL sanitization in meta boxes

Choice between esc_url and esc_url_raw depends on the use you have to do with the url. If you have to use the url to display inside html use esc_url, E.g.: $my_link = get_post_meta( $post->ID, ‘mod_modbox_link’, true ); echo ‘<a href=”‘ . esc_url($my_link) . ‘”>Open link</a>’ esc_url_raw should be used for any other use, where the … Read more

How does WordPress store data?

I have looked inside WordPress database. Never do that unless you need to have an external utility to be able to read data from the DB. For wordpress development always use the proper API for what you need, there was a lot of time invested into making the APIs efficient and there is no need … Read more

Correct processing of `$_POST`, following WordPress Coding Standards

Escape hexadecimals/rgba values

Just finished now the sanitize callback for RGBA colors.and tested in my theme and working perfect, and its taking RGBA values please find the code function awstheme_sanitize_rgba( $color ) { if ( empty( $color ) || is_array( $color ) ) return ‘rgba(0,0,0,0)’; // If string does not start with ‘rgba’, then treat as hex // … Read more

Sanitizing `wp_editor();` Values for Database, Edit, and Display

wp_kses to the rescue! My Editor Contains everything a Post Might Pass the result through wp_kses_post on the way in and out, and all should be good. Remember, this will strip out anything added by the_content filter, so to preserve oembeds and shortcodes, use this: echo apply_filters( ‘the_content’, wp_kses_post( $content ) ); You might also … Read more

array_map() for sanitizing $_POST

It’s probably not a great idea. Firstly, if you’ve got other field types then you should probably use more appropriate functions. For example, textarea fields should be sanitised with sanitize_textarea_field(), and color pickers should be sanitized with sanitize_hex_color(). You should also consider that $_POST likely also contains fields that you don’t want to save, such … Read more

What is the difference between sanitize_text_field() and wp_filter_nohtml_kses()?

What Do They Do? wp_filter_nohtml_kses strips all HTML from a string, that’s it. It does it via the wp_kses function and it expects slashed data, here’s its implementation: function wp_filter_nohtml_kses( $data ) { return addslashes( wp_kses( stripslashes( $data ), ‘strip’ ) ); } sanitize_text_field on the other hand does more than that, the doc says: … Read more

wp_sanitize_redirect strips out @ signs (even from parameters) — why?

Question why does wp_sanitize_redirect strip out @ signs, exactly? Anybody could anyway try to load a url with an @ sign in it – is there some security issue I’m not thinking about? Just take a look at the source: function wp_sanitize_redirect($location) { $location = preg_replace(‘|[^a-z0-9-~+_.?#=&;,/:%!]|i’, ”, $location); $location = wp_kses_no_null($location); // remove %0d and … Read more

+ More