If calling, sanitize_text_field(), it actually call an internal function _sanitize_text_fields() and add a filter for override. So First look at _sanitize_text_fields(), which actually do Checks for invalid UTF-8, Converts single < characters to entities Strips all tags <——— including wp_strip_all_tags() here Removes line breaks, tabs, and extra whitespace Strips octets That’s mean if calling sanitize_text_field(), … Read more
You could use “white-space: pre;” in CSS to display newlines as they are
wp-login.php should not require additional effort from you to secure. However, I don’t think that’s what you client is asking for. My question therefore is does WordPress require further development to stop SQL injections etc on login forms? And do I need to apply input sanitation to the login fields? To wp-login.php, no, you don’t. … Read more
This sort of theme mod is only capable of conveying a string into the markup regardless of any sanitization callback – any PHP included within the string will never be interpreted by the PHP engine, short of running the output through eval() which would be extremely dangerous and likely result in the theme failing review … Read more
You should use a nonce to protect yourself from CSRF attacks. Even though you’re not sending anything to the database, I’d suggest using some of the built in data validation functions (there is even a is_email function for you to use!) to strip out any HTML from your email. esc_html( striptags( $your_email_content ) ), for … Read more
In a multi-site installation it is ‘wpmu_validate_user_signup’: add_filter( ‘wpmu_validate_user_signup’, ‘wpse_77904_mu_no_at_in_username’ ); function wpse_77904_mu_no_at_in_username( $user ) { if ( FALSE !== strpos( $user[‘user_name’], ‘@’ ) ) $user[‘errors’]->add(‘user_name’, __( ‘That username is not allowed.’ ) ); return $user; } On single-site it is ‘validate_username’: add_filter( ‘validate_username’, ‘wpse_77904_no_at_in_username’, 10, 2 ); function wpse_77904_no_at_in_username( $valid, $username ) { if … Read more
Your code is working correctly. If you look at the source code of the page, you will see: <script>alert('Test')</script> When the above text gets processed for display by your browser, it then becomes <script>alert(‘Test’)</script> which is what you want to be displayed.
YES. You always escape output that originally comes from user submitted data. To be safe, you always escape variable output, period.
If you want to validate the data then you’ll have to try retrieve user via ID. To only sanitize ID since it’s numeric is enough to cast it as integer, absint() will work fine as a callback.
You are execpeting a WP Error object if the URL has a non-valid protocol but esc_url_raw returns an empty string in that case (see codex), not a WP Error object. So, is_wp_error( $escaped ) never verifies. Also, you are checking an undefined $escaped variable (note that the value of esc_url_raw is stored in $sanitized variable): … Read more