there are two possible injection vectors, server side and client side server side – Just don’t write your own SQL and use the more high level DB access APIs, in your case probably update_option. If you must to access the DB at lower level make sure the API use wpdb::prepare while generating the SQL, which … Read more
Never edit the WordPress core files. Instead you should hook into the pre_comment_content, which is where the comment text from the textarea is being sanitized, before it’s inserted into the database. In the example below preg_replace is used to sanitize the comment text submitted. You should modify the function to fit your needs. function keha_filter_comment( … Read more
All you need to know about the sanitization and escaping function is within the codex: https://codex.wordpress.org/Data_Validation In anycase, you should find usefull wp_kses_* functions, particular wp_kses_post What function to use depend by what you want to filter and sanitize.
As you can see in the source code of sanitize_title(), all the function does is 3 things apply the function remove_accents(), supposedly to remove accents apply the filter sanitize_title return either $title or $fallback_title Since you’re loading only some partial WordPress files, you’ll probably be missing all the goodies of the filter. I dug a … Read more
esc_js() is intended for escaping data for use within an HTML attribute. If you want to escape data for use within an inline script, wp_json_encode() should be sufficient. For example: var disabledDays = <?php echo wp_json_encode( $iva_disable_days ); ?>; This outputs: var disabledDays = [“4\/7\/2018″,”11\/18\/2017”]; If you check the variable in your dev tools console, … Read more
Safe against/for what? Is “a legitimate user can input any HTML” a safety issue? If you might handle data from kind-of-but-not-really trusted users, how about giving admins the possibility to define which tags/attributes to strip out (optionally: per user group / role) and your plugin does the rest, or run the content through a filter … Read more
sanitize_user function has a sanitize_user filter. The filter gives you $username, $raw_username, $strict from the sanitize_user and expects you to return $username, according to the inline documentation: /** * Filters a sanitized username string. * * @since 2.0.1 * * @param string $username Sanitized username. * @param string $raw_username The username prior to sanitization. * … Read more
I think this is probably not right approach for the way the Customiser is organised. Controls and Settings are pretty much separate entities. Controls can save settings, but settings aren’t tied to a specific control. As far as I’m aware there’s nothing stopping you having multiple controls for a single setting, for example. My suggestion … Read more
Thanks all @ValentinGenev i choose this option, but i’m totally newbie so i Have to study WP much more in order to follow your lead. I found this in my theme (extras.php): if ( $child_theme_support == ‘default’ ) { $categories_list = get_the_category_list(esc_html__(‘, ‘, ‘blossom-fashion-pro’)); }else{ $categories_list = get_the_category_list(esc_html__(‘ ‘, ‘blossom-fashion-pro’)); } if ($categories_list) { echo … Read more
No, it’s not necessary to sanitise in this case. If you were redirecting to the value directly, or outputting it in some way, you would definitely need to, but since you’re just comparing its value against a white list (essentially) no sanitising or escaping is necessary.