For the first example, a lot of people will use wp_kses_post to handle basic HTML output from wrapper functions. It’s a shortcut for some basic attributes and tags using wp_kses. You could use this function where you specify allowed tags and attributes that can pass through for the second example.
No, there is no function for that. You would need a complete JavaScript parser. This is not part of the WordPress core.
WordPress will not do any data sanitization for you. It does do sanitization/validation of the default options. You have to pass in the third argument of register_setting and either role your own validation callback or or use one of the builtins. If your options is only going to contain a string, you could do something … Read more
I can’t use $wpdb->prepare, since I want to be able to add variables to my query string that look something like: $var = “AND pm.meta_value=”%$_POST[“val’]%'”; To get a literal % to pass through $wpdb->prepare just double it. You don’t need to be avoiding $wpdb->prepare. Proof of concept: var_dump($wpdb->prepare(‘SELECT * FROM {$wpdb->posts} WHERE post_title LIKE “%%%s%%”‘,’Hello’)); … Read more
This behavior is most likely intended, and can be disabled. However it might break other features too. There are a couple of workarounds, that you can try. Break the Image URL and File Name You can pass the arguments to your shortcode in the following way: [theimg path=”https://s.w.org/about/images/logos/” filename=”wordpress-logo-simplified-rgb.png” ] This will prevent the editor … Read more
$url = esc_url ( str_replace(‘ ‘ , ‘-‘, $url ) ); Replace the spaces to – chars before activating esc_url function, and your problem is solved.
This maybe just a personal distinction but I consider: data validation to mean is the data ‘correct’? Is it what we expect? data sanitisation to mean is the data *safe to use * Though there can be some blurring, typically data validation will only occur when a user-input is taken, or some data is obtained … Read more
Either way this seems like a very clunky solution for arbitrary markup in shortcode. If only one of attributes is more bulky and includes markup I would consider making shortcode enclosing: [infobox src=”http://www.google.com” title=”Google”] Some description – see more: <a href=”http://www.google.com”>More here</a> [/infobox] You might be to the point when you’ll need to built custom … Read more
There is no filter to change that behavior, you would have to replace the entire metabox. On the other hand: I think there is no really simple way to show and to save those arrays. Example for a fictive meta key ‘foo’: array ( 0 => 2, ‘hello’ => array ( 0 => 2, ‘hello’ … Read more
Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison. wp_verify_nonce function checks $nonce value like this: if ( hash_equals( $expected, $nonce ) ) { return 1; } For this you don’t need sanitizing. So the following is fine: wp_verify_nonce( … Read more