What you (and probably 99% of the theme authors) are trying to do is just wrong. Users should not be expected to know CSS to customize a theme, and if they do need to go into such a low level, the right thing for them to do is to create a child theme and insert … Read more
Contrary to what you have been looking at, esc_html does not strip all the HTML, it escapes it, meaning it encodes it into safe HTML entities that do not break HTML tags. wp_filter_nohtml_kses strips all the HTML. When in doubt always consult the source code. It is accessible online. esc_attr is short and sweet, uses … Read more
Instead of using add_settings_section() and add_settings_field() every time, create a function that returns an array of options for example: function my_theme_options() { $options = array(); $options[] = array( ‘id’ => ‘ID’, ‘title’ => ‘Title’, ‘type’ => ‘text_field’, // use this value to sanitize/validate input ‘validate’ => ‘url’ // use this value to validate the text … Read more
You can use wpdb insert function. It’s better in every way. It can care about data’s escapeing itself and it’s shorter. You can use your own query anyway but I would recommended this article for reading https://codex.wordpress.org/Data_Validation#Database
From the codex: wp_filter_kses should generally be preferred over wp_kses_data because wp_magic_quotes escapes $_GET, $_POST, $_COOKIE, $_SERVER, and $_REQUEST fairly early in the hook system, shortly after ‘plugins_loaded’ but earlier then ‘init’ or ‘wp_loaded’. The first set is then preferred. More of a question of, “is stripping slashes more secure than not?” They both use … Read more
No the sanitization is already done. Well the mysql_real_escape_string is done, it’s considered bad form to filter html on input. I personally think doing it on output kinda breaches DRY. If you did in WordPress I highly suspect somewhere else will do it again resulting in double html entities encoding. Also by the way, wpdb::insert … Read more
You’ll a need a real CSS parser like this one to filter the CSS. Regular expressions or simple string replacements are not safe enough.
For integers KSES has no special function. Use (int) or intval() or absint() See more: Data Validation – Integers
Uppercase characters are not blocked in usernames on single site setups. Uppercase characters ARE blocked in usernames on multisite setups. The wpmu_validate_user_signup function forces lowercase a-z and numbers 0-9 only.
is_email() will take the provided string( a email address) and run checks on it to ensure that it is indeed an email address and that the string has no illegal characters in it. It would simply not change anything in the string you provided but return either true if the string passes all the function … Read more