esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively). esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with … Read more
WordPress doesn’t provide any specific data validation functions for SUPERGLOBALS. I use the PHP filter_input function then escape it as I would any untrusted variable. $url = filter_input( INPUT_GET, ‘some_query_string’, FILTER_VALIDATE_URL ); echo ‘<a href=”‘. esc_url( $url ). ‘”>Click Me</a>’; The PHP filter input accepts: Validate filters Sanitize filters Other filters Additional Filter flags
In short: it is in dependence of your context, the data inside your editor. wp_kses() is really helpful, and you can define your custom allowed HTML tags. Alternative, you can use the default functions, like wp_kses_post or wp_kses_data. These functions are helpful in ensuring that HTML received from the user only contains white-listed elements. See … Read more
I think the add_rewrite_tag() is not needed, and can be replaced with adding the variables to the public query vars directly: // Either directly (in your init hook): $wp->add_query_var( ‘var1’ ); $wp->add_query_var( ‘var2’ ); // Or via a filter: add_filter( ‘query_vars’, ‘wpse12965_query_vars’ ); function wpse12965_query_vars( $query_vars ) { $query_vars[] = ‘var1’; $query_vars[] = ‘var2’; return … Read more
The wp_strip_all_tags() function will remove all HTML, including the content of script and style tags. The PHP strip_tags() function largely does the same thing, except it won’t eliminate the content of script and style tags. WP’s wp_strip_all_tags() function uses this after eliminating the scripts and styles manually. The wp_filter_nohtml_kses() function uses kses to remove all … Read more
There’s some confusion here, because not all of these are validation, there are 2 others that are necessary to understand what’s appropriate: validation sanitisation escaping Sanitisation Sanitisation makes things clean and well formed This cleans up the data, e.g. trimming trailing spaces, removing letters in a number field, making an all lowercase field all lowercase, … Read more
Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer Here is an example of how this could be used: // Now do what you want with your clean SVG/XML data function your_save_meta( $post_id, $post, $update ) { // – Update the post’s metadata. if ( … Read more
There is already a huge list built for you, which can be returned by wp_kses_allowed_html() based on context, and filtered via the wp_kses_allowed_html filter, also contextually. Creating that list should not be hard. However, “the whole range of HTML tags that might appear in an HTML email” should be pretty close to the range allowed … Read more
esc_html() is more or less lossless — it just turns HTML markup into encoded visible text, so that it’s not rendered as markup by browser. Semantically it’s escape, so it’s meant to be used to make output to page safe. sanitize_text_field() however actually removes all HTML markup, as well as extra whitespace. It leaves nothing … Read more
The general rule, at least as espoused by Mark Jaquith, is sanitize on input, escape on output (the corollary to this rule being sanitize early, escape late). So: use sanitization filters (such as the kses() family) when storing untrusted data in the database, and use escaping filters (i.e. the esc_*() family) when outputting untrusted data … Read more