I think the add_rewrite_tag() is not needed, and can be replaced with adding the variables to the public query vars directly: // Either directly (in your init hook): $wp->add_query_var( ‘var1’ ); $wp->add_query_var( ‘var2’ ); // Or via a filter: add_filter( ‘query_vars’, ‘wpse12965_query_vars’ ); function wpse12965_query_vars( $query_vars ) { $query_vars[] = ‘var1’; $query_vars[] = ‘var2’; return … Read more
The wp_strip_all_tags() function will remove all HTML, including the content of script and style tags. The PHP strip_tags() function largely does the same thing, except it won’t eliminate the content of script and style tags. WP’s wp_strip_all_tags() function uses this after eliminating the scripts and styles manually. The wp_filter_nohtml_kses() function uses kses to remove all … Read more
There’s some confusion here, because not all of these are validation, there are 2 others that are necessary to understand what’s appropriate: validation sanitisation escaping Sanitisation Sanitisation makes things clean and well formed This cleans up the data, e.g. trimming trailing spaces, removing letters in a number field, making an all lowercase field all lowercase, … Read more
Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer Here is an example of how this could be used: // Now do what you want with your clean SVG/XML data function your_save_meta( $post_id, $post, $update ) { // – Update the post’s metadata. if ( … Read more
There is already a huge list built for you, which can be returned by wp_kses_allowed_html() based on context, and filtered via the wp_kses_allowed_html filter, also contextually. Creating that list should not be hard. However, “the whole range of HTML tags that might appear in an HTML email” should be pretty close to the range allowed … Read more
esc_html() is more or less lossless — it just turns HTML markup into encoded visible text, so that it’s not rendered as markup by browser. Semantically it’s escape, so it’s meant to be used to make output to page safe. sanitize_text_field() however actually removes all HTML markup, as well as extra whitespace. It leaves nothing … Read more
The general rule, at least as espoused by Mark Jaquith, is sanitize on input, escape on output (the corollary to this rule being sanitize early, escape late). So: use sanitization filters (such as the kses() family) when storing untrusted data in the database, and use escaping filters (i.e. the esc_*() family) when outputting untrusted data … Read more
You don’t have to do anything. On WP load: ‘init’ hook -> kses_init() -> kses_init_filters() Later: wp_insert_post() -> sanitize_post() -> sanitize_post_field() -> ‘content_save_pre’ -> wp_filter_post_kses() Similarly for post titles, comment text etc. Conclusion: wp_insert_post() is very sanitized. 🙂
Looking at the is_email() functionality on trac, it looks like you don’t need to sanatizie as it’s just string testing. I would even go so far as to say that if this function returns true, you wouldn’t need to sanitize it before sending it into the database.
This codex page explains it pretty well I think. The most important and commonly used function is probably esc_attr. Take this example: <a href=”https://wordpress.stackexchange.com/questions/48660/<?php print $author_url; ?>” title=”<?php print $author_name; ?>”> <?php print $author_name; ?> </a> If $author_name contains a ” character you get your attribute closed, and if that character is followed by onclick=”do_something();” … Read more