Yes, WordPress will sanitise data on its way to the database, so long as you use the APIs. If you’re using the wpdb object however you’ll need to use the prepare method to sanitise. I recommend against writing SQL queries as it bypasses object caches etc, but if you must write your own SQL, use … Read more
You’re not supposed to assign multiple variables on a single line. Do them separately: $pf_param_string = substr( $pf_param_string, 0, – 1 ); $validate_string = $pf_param_string; Or, if you don’t need both variables, just skip one of them: $validate_string = substr( $pf_param_string, 0, – 1 );
The problem is with your selectors: attributes: { content: { type: ‘string’, source: ‘html’, selector: ‘p’, }, content2:{ type: ‘string’, source: ‘html’, selector: ‘p’, }, }, You’re only using p for both attributes. When the block looks at the saved HTML to validate it, it checks to see if the value of the selectors matches … Read more
Data Sanitization in WordPress … https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/
From WordPress Tavern – the article is for WordPress password-protected posts but the final paragraph reads: This update only affects password-protected posts. WordPress user passwords don’t share the same length restrictions and can be upwards of 1,000 characters long if so desired.
I think the common issue (that I myself have at times) with understanding data validation that we try to approach it as function-centric (which one to use), while it should be approached as process: where data comes from where it goes what unwanted and/or harmful things it might include The confusing amount of function comes … Read more
esc_textarea shouldn’t strip out newlines — It’s just a thin wrapper around htmlspecialchars: http://core.trac.wordpress.org/browser/tags/3.3.2/wp-includes/formatting.php#L2536 <?php function esc_textarea( $text ) { $safe_text = htmlspecialchars( $text, ENT_QUOTES ); return apply_filters( ‘esc_textarea’, $safe_text, $text ); } That said, there are lots of options. What do you want your users to do have the ability to post? esc_html will … Read more
In the articles case, $title is an arbitrary value, as such it should be escaped via html, but, if it was gotten from a WordPress core function it is probably safe, but you should check anyway For example, get_the_title() can contain html markup and is not escaped by default. Eitherway post and page titles should … Read more
If we look at the file /wp-includes/default-filters.php we can find these two lines in there add_action( ‘wp_head’, ‘feed_links’, 2 ); add_action( ‘wp_head’, ‘feed_links_extra’, 3 ); so if we want to remove these actions, we can do it with these two lines in functions.php: remove_action(‘wp_head’,’feed_links’,2); remove_action(‘wp_head’,’feed_links_extra’,3); So the feed links will be removed from the <head> … Read more
Filter the_category, and remove those attributes: add_filter( ‘the_category’, ‘t5_remove_cat_rel’ ); function t5_remove_cat_rel( $list ) { return str_replace( array ( ‘rel=”category tag”‘, ‘rel=”category”‘ ), ”, $list ); }