It’s actually a good question. Of course user input cannot be trusted, but also sanitizing the same value twice “just in case” isn’t the best solution for a problem. The only real answer to this question can be given by looking at the code and following what goes on. And after reading it for a … Read more
When accepting user data inputs, I think that data validation must be performed if possible, not only sanitization. For example, you could expect a number, a bool value, a text string (even when the input is a selectbox it can have a string value), etc. You can santize for that data types; then you can … Read more
It’s probably best to render the shortcode on output by running it through do_shortcode()
You need to change the type from textarea to textarea_raw_html: https://kb.wpbakery.com/docs/inner-api/vc_map/ Under the section “Available type values” it says: textarea_raw_html: Text area, its content will be coded into base64 (this allows you to store raw js or raw html code) Although I’m not sure why they can base64 encode the output from this but not … Read more
I’m not sure if this is a bug, but it need further investigation. I’ve run a few quick tests on the name field in a tax_query, and whenever a term name has got a special character or have more than one word, the tax_query is excluded from the SQL query TEST 1 I have use … Read more
No. Parameters given to the WP_Query object only need to be escaped for the database query – this is handled by WordPress.
It seems you are working on the wrong end. Try sanitizing the user input, for instance by means of sanitize_text_field, not the shortcode output.
What you (and probably 99% of the theme authors) are trying to do is just wrong. Users should not be expected to know CSS to customize a theme, and if they do need to go into such a low level, the right thing for them to do is to create a child theme and insert … Read more
Contrary to what you have been looking at, esc_html does not strip all the HTML, it escapes it, meaning it encodes it into safe HTML entities that do not break HTML tags. wp_filter_nohtml_kses strips all the HTML. When in doubt always consult the source code. It is accessible online. esc_attr is short and sweet, uses … Read more
Instead of using add_settings_section() and add_settings_field() every time, create a function that returns an array of options for example: function my_theme_options() { $options = array(); $options[] = array( ‘id’ => ‘ID’, ‘title’ => ‘Title’, ‘type’ => ‘text_field’, // use this value to sanitize/validate input ‘validate’ => ‘url’ // use this value to validate the text … Read more