After thinking about this a little bit, I guess that the proper way to ensure that your comments are properly escaped, is by doing something like this: $the_comment = get_comment_text(); echo ‘<p>’ . esc_html($the_comment) . ‘</p>’; Instead of simply using the function like this: comment_text(); Why even have these handy functions in the first place, … Read more
Perhaps because the entity is a non-UTF8 character? Here’s what esc_html() does: function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( ‘esc_html’, $safe_text, $text ); } If not that, then it’s getting sanitized when filtered by _wp_specialchars(), which does double-encoding(by default,no) and all sorts of things. … Read more
Looking on line 1857 of WP_Query’s code, it seems as though sanitization is done for you, so just run with whatever search term is put in. Current version of wordpress is 3.3, in case the code changes down the line.
Choice between esc_url and esc_url_raw depends on the use you have to do with the url. If you have to use the url to display inside html use esc_url, E.g.: $my_link = get_post_meta( $post->ID, ‘mod_modbox_link’, true ); echo ‘<a href=”‘ . esc_url($my_link) . ‘”>Open link</a>’ esc_url_raw should be used for any other use, where the … Read more
I have looked inside WordPress database. Never do that unless you need to have an external utility to be able to read data from the DB. For wordpress development always use the proper API for what you need, there was a lot of time invested into making the APIs efficient and there is no need … Read more
Correct processing of `$_POST`, following WordPress Coding Standards
Just finished now the sanitize callback for RGBA colors.and tested in my theme and working perfect, and its taking RGBA values please find the code function awstheme_sanitize_rgba( $color ) { if ( empty( $color ) || is_array( $color ) ) return ‘rgba(0,0,0,0)’; // If string does not start with ‘rgba’, then treat as hex // … Read more
wp_kses to the rescue! My Editor Contains everything a Post Might Pass the result through wp_kses_post on the way in and out, and all should be good. Remember, this will strip out anything added by the_content filter, so to preserve oembeds and shortcodes, use this: echo apply_filters( ‘the_content’, wp_kses_post( $content ) ); You might also … Read more
It’s probably not a great idea. Firstly, if you’ve got other field types then you should probably use more appropriate functions. For example, textarea fields should be sanitised with sanitize_textarea_field(), and color pickers should be sanitized with sanitize_hex_color(). You should also consider that $_POST likely also contains fields that you don’t want to save, such … Read more
What Do They Do? wp_filter_nohtml_kses strips all HTML from a string, that’s it. It does it via the wp_kses function and it expects slashed data, here’s its implementation: function wp_filter_nohtml_kses( $data ) { return addslashes( wp_kses( stripslashes( $data ), ‘strip’ ) ); } sanitize_text_field on the other hand does more than that, the doc says: … Read more